The world of crypto is like a dark forest, and there may be numerous crises lurking around you. Recently, a hacker took advantage of the OpenSea contract upgrade to send a phishing email to all users’ email addresses, and many users mistook it for an official email and authorized their wallets, which led to the theft of wallets. According to statistics, this email led to the theft of at least 3 BAYC, 37 Azuki, 25 NFT Worlds, and other NFTs, and the hackers earned $4.16 million based on the floor price.
On the same night, the 1/1 Doodle long-held by Niq, a student at All in NFT, was also stolen because the other party approached Niq to negotiate a deal privately and sent him a link to a fake trading site after letting Niq down.
Today, we need to guard against hacking not only on a technical level, but also from social engineering, and with the price of many NFT projects rising, we could lose a lot of assets if we are not careful. In view of the recent spate of scams in the NFT field, Rhythm has summarized several common scams and hopes that our readers will always be vigilant and not fall for them.
Fraudulent means
1. Via private message on Discord, fraudulent website links
Hackers will frequently use the Discord private message link to hack various community bulk private letter members or impersonate the community administrator to assist in the resolution of problems based on private letter users’ private keys.Or they send fake phishing websites telling users that they can receive NFTs for free, etc. Once the user authorizes the hacker’s fake website, it will bring huge losses to the user.
2. Discord server hacking
Discord server hacking is almost every hot NFT project’s worst nightmare. Hackers will attack the server administrator’s account, and then release fake announcements in various channels of the server to trick community members into believing that hackers have built a fake site to buy fake NFT. Today’s hackers will find fraudulent sites and other ways to cheat the server administrator’s token, so even if the administrator turns on 2FA double authentication, it does not help. And if the hackers build a fraudulent website that requires the authorization of the user’s wallet, it will cause more serious property damage to the user.
Send false transaction links.
Sudoswap, NFTtrader, and other trading platforms encourage users to “exchange” each other’s NFTs or tokens through private negotiations, and these platforms also provide security for privately negotiated transactions, which is a good thing for the NFT market, but now some hackers are starting to use counterfeit Sudoswap and NFTtrader websites to scam.
As with Sudoswap, NFTtrader requires the user to initiate a transaction after the negotiation is completed, a step that generates an order confirmation site, and after both parties confirm the transaction, it will be automated through a smart contract. The scammer will initially pretend to negotiate with you about which NFTs to exchange and will first show you a link to a real website, then offer to make changes to the transaction. After the trader lets his guard down, the scammer will send a fraudulent link, and after the user clicks to confirm the transaction, the corresponding NFTs in his wallet will be sent to the scammer’s wallet.
4: Fraudulent helper words
Scammers will induce users to send their private keys or helper words to themselves by various means, such as building fraudulent websites, pretending to be administrators who come to help users, etc. All these actions are aimed at lowering users’ vigilance and waiting for an opportunity to cheat them out of their private keys and helper words.
5: Create a fake collection and seek transactions in the project’s Discord public channel.
The Fake NFT collection is the most likely to be encountered in many popular projects before the release. When the NFT blind box before the official launch, scammers will upload similarly named NFT collections in advance on OpenSea and other NFT trading platforms, and in advance through the official release of information, beautifully “decorated” this collection. In the case of a real NFT collection not being online, users will preferentially search for the collection with the closest name. Some scammers also create a few deals to convince users, sending offers to the fake NFTs currently listed.
In order to save the platform and the project’s royalty draw, private deals are made between community members, not only through the fake Sudoswap and NFTtrader websites mentioned above, but also by sending links to fake NFT collections on the community channel for slightly less than the floor price. Users are often in a hurry to buy NFT below the floor price, when they ignore the authenticity of NFT and thus fall victim to fraud.
6Fake emails
Most of the NFT platforms will require users to bind the mailbox in order to facilitate the user’s ability to know their NFT transactions first, so the mailbox has also become a gathering place for the proliferation of fraud. Scammers usually disguise themselves as official accounts of the OpenSea platform and send phishing website links to users in the form of contract addresses that need to be modified or wallets that need to be re-verified. Recently, after OpenSea announced a contract upgrade, hackers used this method to defraud users of nearly $4 million. As of the date of this writing, the OpenSea team is still checking for compromised users.
The Fraud Prevention Guide
1. URL Filtering
No matter what kind of packaging and language the hacker uses to confuse you, he will always need a way to interact with your wallet when he eventually steals your crypto assets. The average user may not have the ability to recognize the risks of a contract, but fortunately, we are still in an internet world dominated by web2. Almost all crypto contracts require a web2 front-end page to interact with the user.
As a result, the vast majority of user-facing (not project-facing) crypto asset theft occurs on top of spoofed phishing sites. Once you know how to identify phishing sites, you will be able to avoid 99% of crypto theft.
For the Z generation, who grew up with smartphones, live in an “ecosystem” created by one app after another, and they are probably not familiar with the web page as an antiquated thing. In the web2 era, the DNS domain name system gives each website a unique identity across the web, and understanding the basic rules of domain name composition will be enough to deal with almost all fake phishing websites.
In traditional DNS domain names, there are three levels of the domain name hierarchy. Starting with the first separator (/) and reading from right to left, each period separates a hierarchy. Take https://www.opensea.io/as an example. “.io” is similar to “.com,” “.cn,” etc. It is called the top-level domain, and the field is not customizable. ” This field cannot be repeated under the same top-level domain (e.g..io). The “www” section is the third-level domain name, which can be set by the website operator. Even operators can continue to add fourth and fifth-level domain names before “www”.
The hierarchical order of domain names is counter-intuitive: from right to left, the hierarchy decreases. This design is the opposite of most people’s reading habits, and it allows attackers to take advantage of it. For example, the address https://www.opensea.io.example.com is highly similar to the opensea address, but its actual domain name is “example.com” instead of “openesa.io”.
It is difficult to predict whether there are still phishing attacks on Web3. But in the Web2 world, the DNS domain name system ensures the uniqueness of the domain name (or URL), and it is almost impossible for users to access a fake website if the domain name is true.
Do not disclose private keys or mnemonics.
Once leaked, the wallet will belong to both you and the hacker; all of the assets in your wallet can be transferred by the hacker at any time, and due to the anonymity of the Ethernet address, you will not be able to determine who the hacker is; the loss will be irreversible, and the wallet will no longer be usable.
3Cancel the authorization of the wallet in time.
If you have authorized your wallet on a fraudulent website, you can check the authorization status of your wallet and cancel it in time by going to the following three addresses.
https://etherscan.io/tokenapprovalchecker
https://revoke.cash/
https://debank.com/