Google “NFT scams” and you will come across incidents that will open up a world of strange and unthinkable ways used by scammers to steal thousands of dollars.
It’s been only a few days since 2023, and events about NFT scams have already begun their attack. Let’s take a look at some frauds and hack ideas that have been used by scammers in the new year.
To begin with, there’s a new scam in which users think that their address is selecting non-fungible tokens for someone else.
The scam has been shared by @cygaar, an affected user, through a series of tweets. The user explained that several applications identify token transfers via “events,” which are messages that can be broadcast publicly in a smart contract transaction.
Etherscan and OS depend on events to find NFT transfers. In NFT transfers, there are transfer events for ERC721 as well as TransferSingle/TransferBatch events for ERC1155.
When a token transfer takes place, NFT contracts update the owners of the token and send the transfer events. However, in cases like this scam, the token contract does not update any internal balances and emits only a TransferSingle event to make applications assume that a non-fungible token was transferred.
In the scam here, the token contract doesn’t actually update any internal balances, it just emits a TransferSingle event to trick applications into thinking an NFT was transferred.— cygaar (@0xCygaar) January 10, 2023
Let’s look at this example: https://t.co/pPF0vLOJNG
In this case, 0xe091ab8213554dc87f0fba964ce995d1fb1263c0 is the sender, and it appears that they have transferred 1 ERC1155 token to some other address. If one searches via the input data, 0xe09 wouldn’t be found. Token sellers must be in the order data.
0xe091ab8213554dc87f0fba964ce995d1fb1263c0 is the “sender” in this case. It looks like 0xe09 has transferred 1 ERC1155 token to another address. However, if you search through the input data, you won’t find 0xe09. The seller of the token should always be in the order data. pic.twitter.com/m1ErW4fA84— cygaar (@0xCygaar) January 10, 2023
The scammer made a false collection, minted several tokens, and listed them on OpenSea for sale. To buy the tokens, they used another wallet. Fake transfer events with different addresses were emitted by the transfer function in the scam contract.
Below is the link to view the events that are broadcast in the transaction.
There will be an event with 0xe09 among the values.
You can see what events are broadcast in the txn by clicking here: https://t.co/PjuqnO2mve. You’ll then find an event with 0xe09 as one of the values. pic.twitter.com/n412J9lEsT— cygaar (@0xCygaar) January 10, 2023
The topic for the event is: 0xc3d58168c5ae7397731d063d5bbf3d657854427343f4c083240f7aacaa2d0f62. Upon doing a reverse signature lookup, it could be seen that the event is TransferSingle from ERC1155.
You’ll also see that the topic for this event is 0xc3d58168c5ae7397731d063d5bbf3d657854427343f4c083240f7aacaa2d0f62. If we do a reverse signature lookup, we can see that this event is TransferSingle from ERC1155. pic.twitter.com/XtzyGT8HxC— cygaar (@0xCygaar) January 10, 2023
Let’s take an example of a code that imitates the scam. The safeTransferFrom function is overridden to emit an event that has random addresses in it. Since Seaport deploys safeTransfer to manage transfers, overriding such a behavior will make a Seaport transaction appear lawful.
Here’s example code that mimics the scam. Notice that the safeTransferFrom function is overridden to only emit an event with random addresses in it. Seaport uses safeTransfer to handle transfers, so overriding this behavior will make a Seaport txn look legit. pic.twitter.com/JS007WNy3B— cygaar (@0xCygaar) January 10, 2023
The affected user replicated the same scam trick here:
Here it seems that through Seaport, 0xe09 is transferring an ERC1155. Moreover, OpenSea is also showing a token transfer.
To identify authentic sales and stay away from such NFT scams, follow the below steps:
Step 1: Check the Etherscan details carefully. Buyer’s address is the ‘from’ section. Address of the seller reflects in the Seaport input data. If this isn’t seen, it’s a matter of concern.
Step 2: Check the OpenSea activity for the particular token. It is possible for a certain address’s activity to be fake, but the real sales activity for an NFT can’t be fake. For each sale, the scam token shows the same “from and to,” excluding the top user who was scammed.
2) Look at the OpenSea activity for the token in question. Even though the activity for a specific address can be faked, the actual sales activity for an NFT cannot be. Notice how this scam token has the same from and to for each sale (except for the top user who got scammed). pic.twitter.com/4XK2WCa5zz— cygaar (@0xCygaar) January 10, 2023
Step 3: Check the actual contract code. In most of the NFT scams, the token contract is not verified, with the aim of hiding whatever is happening. If it’s impossible to read through the code, it can’t be trusted.
Step 4: A number of people click or sign transactions because they are convinced that such NFTs can be bought or sold for free money. However, in such situations, people lose money.
Next NFT scam that’s increasing is ‘Address Poisoning.’ What happens is when a user sends a normal transaction, the scammer sends a $0 token txn to ‘poison’ the txn history.
They use an address that has the same first and last few characters as the real transaction sent by the user in the hope that the user will not check the complete address and copy theirs in a future txn.
A new scam called ‘Address Poisoning’ is on the rise. Here’s how it works: after you send a normal transaction, the scammer sends a $0 token txn, ‘poisoning’ the txn history. (1/3)— MetaMask Support (@MetaMaskSupport) January 11, 2023
It is suggested to carefully check the full address or use the Address Book feature. To seek help, users can direct to “Menu > Support” from the web or in the app: https://support.MetaMask.io Click the “Start a Conversation” button for answers from the chatbot.
Hardware wallets also offer security, but are not worthy of being trusted solely.
On Thursday, i.e., January 12, 2023, British company NFT Investments announced losing assets worth $250,000 in a cyberattack.
The firm defines itself as working with “entrepreneurs to develop NFT assets.” The incident was shared via the Regulatory News Service of the London Stock Exchange since the company’s shares are listed on the Aquis Stock Exchange Growth Market.
According to the company, a fraudulent phishing attack was found on Monday from an unknown external source, though the company didn’t disclose how the assets were lost.
The loss includes less than 1% of the value of the current net assets of the company.
Let’s talk about one other incident involving another bad actor. On Thursday, CryptoNovo, a pseudonymous NFT collector, shared the news of being hacked.
I just got hacked!!!— CryptoNovo (@CryptoNovo311) January 4, 2023
Are you kidding me!?! pic.twitter.com/r1xS0mhD6P
The attacker got his hands on three CryptoPunks, two CloneX non-fungible tokens, one Bored Ape, three Meebits and one Mutant Ape.
In just 16 hours after committing the hack, the attacker sold all NFTs for 492.66 ETH. After that, the funds were moved to an account on ChangeNOW, a crypto exchange.
To steal even more, the attacker has probably taken over the Discord account of CryptoNovo.
CryptoNovo took to Twitter to warn everyone not to send anything using his name and account number, as the Discord account is fake.
I have not asked anyone for anything. DO NOT send anything to anyone using my name and account number! The discord you see below is a fake account. A couple other CryptoPunks owners have scammers acting as them as well. pic.twitter.com/9YWcTLYAJd— CryptoNovo (@CryptoNovo311) January 4, 2023
In another attack, COO at RTFKT, Nikhil Gopalani, became the victim, as a phishing scam had drained his wallet.
Hey Clone X community – I was hacked by a clever Phisher (same phone # as apple ID) & sold all my clone x / some other nfts… Obviously pretty upset and hurt by this and I havent really been able to move all day. Hope people who bought my clones love them (being positive)— Nikhil Gopalani (@Nikgopalani) January 3, 2023
It seems that Gopalani’s collection has been drained by two wallets that escaped with 19 CloneX NFTs, 11 CryptoKicks, 18 RTFKT Space Pods, 19 RTFKT Animus Eggs, and 17 Loot Pods.
Reportedly, all the NFTs have not been sold, so calculating the real value of each NFT isn’t possible. However, the collection’s worth is more than $140,000, according to their current floor prices.
Tips to avoid NFT scams
With fraudsters increasing almost each day, knowledge about useful tips is a must to maintain a safe distance from falling victims.
Here are some very reliable ways to avoid being affected by the scammers:
- If a collection is both purchased and sold by limited wallets, such an NFT collection must be avoided.
- Twitter and Discord are proven ways to identify the legitimacy of a project. Good number of followers and an active community that shares information and discusses the project are signs that the project is genuine.
- To stay safe from a counterfeit NFT, research is crucial. Among the first things to check is that a verified account has created the NFT. A blue checkmark on the profile picture of the artist is a reliable proof of authenticity. But if it’s not available, finding the social media platforms and confirming them is also recommended.
- Suspicious links should be avoided, as they are capable of sharing account details to fraudsters.
- Passwords or seed phrases should never be shared. Two-factor authentication should be enabled on the account for additional layers of protection.
- Use VPN to encrypt and anonymize the NFT traffic. Generally, ExpressVPN is considered best for NFTs.
- Checking the name of the project on popular marketplaces is also a very reliable way to find out the legitimacy of the collection. If you are not sure about a project’s official name, visit rarity.tools and carefully check the official name. The platform will provide you an objective view of the uniqueness of the NFT collection. Also, Rarity Tools takes into account crucial aspects such as its popularity, owners and trading volume.
Some initiative by communities
The DeviantArt website has a community of 500,000 plus artists and has experienced several cases where artworks of its members have been both stolen as well as minted like counterfeit NFTs.
As a response to this, DeviantArt has published an advanced image recognition tool that scans established public blockchains and third-party NFT marketplaces to find fake NFTs.
Launched in August 2021, the tool has identified more than 50,000 counterfeit non-fungible tokens.
Surge is also a useful platform, as it offers several Discord channels and forums to allow users to ask questions and get advice.
Curious Addy’s Trading Club is another community that focuses especially on newcomers. It has made a purposeful NFT scam quiz that helps users identify fake NFTs and scams.
Stopping NFT scammers isn’t easy, and how creative their minds are is clear from the methods and opportunities they figure out to fulfill their bad intentions.
All that could be done is to be alert as a part of the NFT world and follow the above suggestions for a positive experience.