4,600 NFTs were stolen in July of 2022 and between July 2021 and July 2022 Web3 saw more than $100 million worth of NFTs reported as stolen through online scams This is coming from research by blockchain analytics firm Elliptic.
With increasing theft inside the Crypto and NFT spaces – it’s a perfect opportunity to refresh our minds on how to protect our data and information from malicious attacks. We’re sitting inside the Wild West of Web3 — be safe out there.
Here are 10 tips for staying safe in Crypto and Web3:
#1 Rule in all of Web3: — Protect your Private Key, Passwords and Seed Phrases
1. Take good care of your sensitive information.
First, and inarguably the #1 Rule in all of Web3 — Protect your private key, passwords and seed phrase with your life. Your Private Keys, Passwords and Seed Phrases are hands-down the most important elements of your online security. They are what provides access to your wallet, which contains your assets – including any cryptocurrency and NFTs. Needless to say, if you lose this information, you’ll be locked out of your wallet and all its contents!
2. Use 2FA (2 Factor Authentication)
Generally a good piece of advice no matter what kind of service you access. Two-factor authentication is a method of confirming your identity when you log in to a website or service, or when you authorize a transaction. When you log in or confirm a transaction, you receive a prompt to prove your identity using a separate channel – for example, an SMS containing a unique code, or entering a code from an authenticator app such as Google Authenticator or Duo Mobile.
If you’re buying or selling in Web3, it’s best to be well-informed. By doing your own research (DYOR), you can understand which marketplaces are trustworthy, and determine which projects and collections are worthwhile and safe. Well researched knowledge is your superpower.
This goes without saying no matter what you do online. Scammers often set up websites or send emails impersonating legitimate parties to trick users into revealing sensitive information like passwords and other data that can help with authentication. In the case of NFTs, scammers often impersonate marketplaces or exchanges, or even artists doing token giveaways. They lure the user into entering their private key or seed phrase. Just like that, they have given the scammer full access over their assets.
Always be diligent in observing for:
Copies of actual websites: There are countless “MetaMask” ripoffs, and they’re not just floating around in Twitter DMs. They are sometimes the top hit from Google Ads when you search. In these cases, one way to protect yourself is to become an eagle-eyed spellchecker. You’ll find variations on a website that look like “The MetaMask” or “MettaMask” or “MataMask.” Sometimes the ending of the URL will be different, perhaps with a .xyz, .co, or some other seemingly acceptable variation. Variations are never acceptable.
FOMO URLs: Cool new projects that seem too good to be true are engineered to induce FOMO and cause an irrational purchase. Hackers gain access to their wallets as soon as a user signs in to one of these fake projects to make a purchase. Game over.
Email and DM phishing: This classic scam involves what looks like an email from a website you regularly interact with embedded with a malicious link that will lure you into a transaction. The link may even contain malware that will crawl your computer for seed phrases. Terrifying, right? Get out the pen and paper and keep your seed phrase irl.
Exchanges are not wallets. Exchanges are the most highly targeted destinations in all web3. Don’t keep anything you wouldn’t mind losing in an exchange. Using a hardware wallet adds another layer of security for your funds and NFTs. Many users tend to go with Ledger or Trezor.
Nothing good ever comes from engaging in discord via direct message, so head to your Server Settings and switch off your DM’s (Direct Messages). It’s best to not interact with links or QR codes sent by strangers. Attachments of all formats, including PDFs, may also contain harmful viruses or malware. Avoid clicking on ads, images, or links sent by strangers.
Be sure that all Chrome Extensions are well known and widely used. Chrome Extensions can be used to extract sensitive information. In March of 2020, a fraudulent Ledger Chrome Extensions asked users for their Private Keys, this hack collected over $2.5 million in stolen XRP.
It’s extremely easy for scammers to create accounts to impersonate others. If anything seems too good to be true — like Elon or Vitalik message you — ignore them. If one of your favorite celebrities is shilling web links to their favorite projects — confirm the social handles and be diligent in confirming the legitimacy of the person and project.
Insider Tip: Inside Discord, [Right Click] on any team members inside an official project and rename them to add the word “REAL”. This way if anyone messages you with a similar name claiming to be from the team – you’ll know it’s a scam and can report it.
9. Watch out for fake NFT Collections
When browsing NFT collections, especially on open marketplaces like OpenSea, never use a link that isn’t verified and reputable. Projects that look strikingly similar or even identical to popular NFT projects may be harmless, but it’s better to be safe.
Airdrops are often legitimate marketing tactics, rewards for holding a certain coin or NFT, or fulfilling a bounty. But they can also be the ultimate Trojan Horse. If an airdropped NFT asks for your private key, remember the first rule of web3: Don’t share your private key. If someone asks you for payment before receiving an airdrop, ignore them — and maybe screenshot the request and post it to Twitter. Airdrops are never “prepaid.” Someone who requests payment in exchange for an airdrop is someone who has no intention of sending you an airdrop.