At the start of the new year, global NFT sales leapt over the $4 billion mark. Simultaneously, like the stench of a bloated trash bag busting open, talk of scamming in the space spread with gusto: Google searches for “NFT scam” hit an all-time high the week of Jan. 1. With droves of people buying in — some far more tech-savvy than others — Rolling Stone asked experts for tips on how to avoid expensive blunders.
“As more money flows into the metaverse, so do bad actors hoping to extract value at the expense of everyday crypto users,” says Georgio Constantinou, who discovers, builds, and produces crypto projects. “Crypto scams have been getting increasingly more sophisticated, and it emphasizes the caution that people need to exercise in a decentralized ecosystem.” As Constantinou explains, there are various types of scams, and it’s important to know how to identify them in order to avoid them.
Turn off your Discord DMs
According to Greek mythology, the Trojan War started when a goddess, Eris, threw something sparkly — a golden fruit now known as “the apple of discord”— into a party of feasting revelers. Nowadays, a fake link on Discord — the decentralized, online network of chatroom servers — can be similarly enticing and chaos-inciting.
Discord hacks are one of the most common NFT scams out there. They happen when hackers gain administrator-level access to a Discord server and post a fake minting link in the announcements channel. The message, according to Constantinou, will usually look like it’s coming from a project organizer and offer a deal that seems too good to be true — something like, “Due to demand, we’re releasing 1,000 more NFTs.” Often, hackers will intentionally seek out sold-out collections, because of the ability to create demand. “Once a collection is sold out, most will never do a surprise mint of additional NFTs,” he says.
Constantinou notes that most projects will put all official links in a separate, designated channel and won’t let minting happen via “sketchy looking URLs” — just on the project’s primary website. Constantinou also suggests that everyone turn off the direct-messaging function on Discord. If a community member says they’re having trouble with something and innocently asks for help on a hacked Discord, “they’ll immediately get like five DMs from scammers,” says RAC, a longtime crypto enthusiast, musician, and entrepreneur who co-founded Six, a Web3 consultancy firm, with Constantinou and their colleague Jesse Grushack last year. “Project teams will never DM you first,” says Constantinou. “It’s best practice to assume everyone is a scammer until proven otherwise.”
Keep your private keys private
A fake Discord link will probably ask for Ethereum (ETH) tokens to create a new NFT that never actually materializes, as the perpetrator runs off with the money — but an even greater problem arises if said perp asks for the victim’s seed phrase, which is a series of confidential words used to gain access to a crypto wallet. “Due to FOMO, people will rush to mint the fake collection and, in many instances, not only lose their ETH, but their tokens and NFTs as well,” says Constantinou. “No one should have your private key ever,” adds RAC. “That’s a big one. People are literally just getting their funds stolen.”
Outside of Discord, phishing can happen in Twitter messages and emails. RAC likens the NFT space right now to an inbox: You wouldn’t jump to give your social security number to any old emailer. Constantinou suggests that people buy hardware wallets — USB-sized, tangible devices that plug into computers — and recommends the brands Ledger and Trezor, which are arguably more secure than online options. A hardware wallet “allows you to avoid ever having to enter [seed phrases] into a browser,” he says. “It will protect you from yourself.” He’s also a big fan of using two-factor authentication when possible, as well as complex passwords. (He recommends a software called 1Password for storage.)
Although he’s never been scammed himself, Constantinou’s heard stories of hackers pretending to be representatives from OpenSea, the Internet’s largest NFT marketplace, and Metamask, a popular NFT-storing digital wallet. In some of these instances, he says the “representatives” told their victims they were randomly selected to receive a surprise airdrop of virtual goods, directed their victims to fake a login page, and told them to sign in. He says people should only ever download and interact with wallet extensions via their official websites. If using an app, “triple check the reviews.” If browsing, eyeball that URL closely.
Beware the airdrops
Airdrops themselves can have malicious coding in them as well. As a prominent figure in the space, RAC says tokens are randomly airdropped into his online wallet all the time. “The name of the token is a website to try and get you to go to your website,” he says. “They want you to think, ‘Oh hey, I got these free tokens. Let me go to this website and try to sell them.’ Everything’s programable, so what they do is they make these tokens unsellable. It basically locks you into something and forces you to give them access to your funds, and then they steal your money.” Anyone can send anyone tokens at any point: The wallet holder, like an inbox-owner getting an email, doesn’t need to approve or accept a transfer. “The best thing to do is simply ignore it,” he says. “That’s what I do.”
But sometimes these airdropped tokens don’t actually do anything other than serve as smoke and mirrors: If someone is creating a project with both a fake NFT collection and useless tokens, they may airdrop said tokens into influencers’ wallets so they can technically say that the influencer holds their currency, implying that they back the project.
Mind the rugs
Fake, or half-baked collections, have become a huge problem. When a person or group of people positions a preliminary set of basic NFTs as the beginning of a bigger project that will unfold over time — perhaps with a video-game component, merch, and/or in-person events — and then runs off with the millions of dollars raised well before any of the promised steps could take place, that’s called a “rugpull.” If the only thing the creators ever promise is an NFT that could then unlock additional perks later on, they’re probably not liable when glassy-eyed sheeple lose money. Constantinou only gets behind projects with online hubs that are brimming with thoughtfully presented information. Big collections with massive potential don’t come together at lightning speed, he says: “If a project looks like it was spun up in a day… and the website is janky, there’s always a risk that it’s just a quick cash grab.”
Paying for a Ferrari and getting Hot Wheels is made worse if the proverbial vehicle holds a malicious smart contract — the kind that send assets from the wallet it’s in to the hacker. When that happens, Constantinou encourages the use of a website called revoke.cash, a tool that essentially checks which websites have permissions to engage with a wallet and lets the wallet owner revoke those permissions. To be clear, revoke.cash cannot return monies lost, but it can stop the action from happening again — and if you realize that you fell for a scam quickly enough, you may be able to stop the hacker before they have a chance to set that part of the plan in motion.
Question everything — and everyone
Ragzy, a visual artist who debuted her first NFT series last year and has since become a collector, says that she always looks for a “fully doxxed team” — one made up of reputable figures who’ve openly identified themselves — before she gets involved in any project.” Undoxxed teams, she says, “get away with it because nobody knows who to hold accountable.”
Ragzy, who has a second TikTok just for educating Web3 beginners on NFTs, has noticed that “a lot” of undoxxed rug-pullers name themselves after the project. She sees that as a red flag. She brings up a hypothetical collection of cartoon cats: “It would be like Lead Cat 1 and Blue Cat 2 with no affiliation to any specific person.” Ragzy pushes crypto’s golden rule of doing the research. “Look at their backgrounds,” she says. “What is their reputation in this space? Did they have another successful project? Who is the artist? Look at the art itself. Does it translate well?” Constantinou echoes this sentiment. “Don’t trust. Verify,” he urges. “Slow down and triple check everything.”
Even if a reputable person is advertised on a project’s website as a team member, that doesn’t guarantee their affiliation. So, her modus operandi is to question everything: “Who are the people investing in this project and do they want to see it survive longterm — or are they gonna dump their NFTs?”
Ragzy also points out that social media numbers don’t necessarily mean anything if there’s no clear value to the project. “Communities come together for a common purpose, and if the common purpose is to buy the NFT and flip it, that’s not really a community,” she says. Of course, followers can be bought, and so can celebrity backings. “You’ll see a lot of celebrities being asked to promote not just NFTs but other cryptocurrencies, and they’ll have no clue what it is. It’s not their fault. They’re looking at it like it’s a sponsored ad. If they’re endorsing it like they’re part of the project, it still doesn’t hold any weight for me. Just because a celebrity endorses a project or creates it, does not mean it’s going to survive.”
Be prepared to lose it all
As a visual artist, Ragzy is fearful of the long-lasting impact this ebb-and-flow pandemonium may have. “A lot of artists have never been paid fairly. Artists are often asked to do work for free or are underpaid and are told to be grateful. Our work isn’t valued. You were a rich artist when you were dead. NFTs are changing that,” she insists. “Not only are we creating an environment wherein we’re getting compensated fairly but we get a royalty on our work if it’s resold. This is why I hate all the scams and the rugpulls that have been happening, because I think it gives the space such a terrible name. What was meant to be so innovative and such a beautiful way for artists to finally capitalize on their work and ideas is now turning into a place with a lot of scams and negative things associated with it.”
RAC, on the other, is confident that this too shall pass. In his eyes, it’s cyclical. “There was a time when people didn’t dare put their credit card online. They were like, ‘Oh my god. Never do that! You’re going to get your money stolen.’ The Internet wasn’t always the safe place that we think it is.” He’s not worried about mainstreamers writing off crypto and running away for good: “This always happens when there’s money, when it’s a bustling new thing. I saw this happen in 2017” — the year Bitcoin’s value slingshotted from $900 to $18,000 — “and then it completely died out in 2018 and 2019. It came back full force in 2020, and I think we’re now seeing the NFT version of that.”
Being scammed is “the risk you take” by entering into this relatively uncharted territory, RAC says, adding that people should really look at their participation as a form of investing. “This system is safe in a lot of ways, but you can’t stop people from trying to scam you. Because this is a completely open system with no safeguards on — by design — we’re going through that early growth phase. It’s not fully professionalized yet. It’s not fully trusted… Nefarious individuals are just going to take advantage of less-educated people.” He admits that it’s “really unfortunate,” but also says “you kind of just have to live with it to some extent.”
Six co-founder Jesse Grushack agrees: “The reality is it’s a new frontier and if you don’t understand, don’t do it. If you’re not willing to lose, don’t play. Coinbase and other custodial options are great for beginners. There’s no such thing as a free lunch — so, if it sounds too good, it probably is.”