Scams have become an inevitable part of the NFT ecosystem. At this point, nearly all of the biggest names in the space have been victims of hacking. In January of 2023 alone, PROOF Collective founder Kevin Rose lost more than $1 million in NFTs in a phishing scam, and the Azuki Twitter account got hacked. Followers who clicked a nefarious link posted by the hackers lost nearly $800,000 in NFTs combined. If the biggest names in crypto and NFTs can get hacked, so can you. Despite the growing awareness around these scams, everyone from NFT tourists to purists still stands a massive risk of being swindled out of their assets by bad actors.
Thankfully, you can mitigate some of the risks by adopting the standard best practices set forth by blockchain developers and security professionals. True, scams can’t all be avoided all the time. Still, by taking the necessary (albeit sometimes arduous) steps to protect software wallets, the NFT community could likely mitigate a large portion of the plentiful and popular grifts. Here’s how.
Safekeep your seed phrase
The most obvious way to keep your crypto and NFTs safe is by taking the proper precautions when it comes to your wallet’s seed phrase. For those unfamiliar, a seed phrase is a collection of randomly generated words that represent the private keys associated with a software wallet and are presented to a user when they first create a wallet. This private key acts as a failsafe that enables the contents of a crypto wallet to be restored in the uncommon event a user gets locked out of their wallet or finds it necessary to import their wallet into a new device.
You should never type out your wallet’s seed phrase. Ditch any thoughts of sending it to yourself via email or saving it in a Google Doc or other note app on your computer or phone. Only record your unique private key on paper and store it in a secure place in your home. Some even go so far as to engrave their seed phrase onto a metal plate and store it in a safe deposit box.
Use a hardware wallet or delegate a wallet
While it may be tempting to keep all of your assets in one or two software wallets for easy access and quick tradability, utilizing a hardware wallet to secure your grails and major scores of crypto could save you from a world of hurt. A hardware-based wallet, like a Ledger or Trezor, stores users’ private keys offline on the device of origin’s secure microprocessors. Considering a computer or other device can become compromised by malware, key loggers, screen capture devices, and more, utilizing a hardware wallet from the get-go is a reliable way to keep your NFTs safe.
While some endeavor to keep a few online-enabled software wallets (hot wallets) for active trading while keeping other assets secured in an offline hardware wallet (cold wallet), even this system can become compromised. Just as we recently witnessed with recent hacks of prominent Web3 figures like Rose, Nikhil Gopalani, CryptoNovo, and more, the simple act of signing a transaction with a high-value wallet can lead to loss. To mitigate risk even further, users might consider using a burner wallet — a wallet with no holdings or site connections only used to transact — or delegating a wallet to transact in place of an active one.
To do so, collectors can use services like Delegate Cash. With Delegate Cash, users can create and assign a fresh new MetaMask hot wallet as a delegate for a cold wallet where valuable NFTs are kept. In doing so, users can claim airdrops, confirm ownership of, or otherwise utilize an NFT without keeping it in an active wallet. We recently saw this method used to great effect when pseudonymous collector tropoFarmer offered up his Sewer Pass for others to play Dookey Dash via a delegated wallet.
Triple-check handles, URLs, and signatures
Before even considering minting, collecting, signing, or interacting with a website or contract (including Delegate Cash), you should always triple-check that the portal you are utilizing is safe and authentic. Time and time again, prominent Twitter accounts and Discord servers get hacked, leading to the announcement of false NFT mints and loads of crypto lost by the NFT community.
For the most part, scams will entice users into forking over their crypto or NFTs by asking them to enter a seed phrase (again, something that you should never even consider doing) or by signing a malicious transaction. As the latter was what compromised Rose, ensure that you check every URL you intend to interact with and the URL source to be extra cautious. It’s incredibly easy for scammers to create fake links and browser-based popups that look and behave identically to MetaMasks.
Yet, even if you aren’t coerced into a scam site or fake wallet app, blindly signing a transaction can leave you vulnerable to compromise. Hackers are undoubtedly counting on users to do just this. Considering the incredible amount of signatures and transactions presented to collectors on a weekly basis, it can be easy to glaze over the details when signing speed-defining minting transactions. To air on the side of caution, always take a good look at what you are signing and what contracts you are allowing your wallet to interact with.
8/ If your TX asks you to sign a message like 0x6fe64a…..87, you are signing a transaction that could be malicious, verify the source website and that you are indeed signing something you want to sign. pic.twitter.com/DtnGAgDTfe— richerd.eth (@richerd) February 2, 2022
What to do if you get hacked
If all fails and you do end up on the receiving end of malicious intent, your next actions will depend on the nature of the hack or scam you were subjected to. If you interacted with a fake mint or claim and signed a transaction… then tough luck. Once your crypto or NFTs leave your possession, there’s little you can do about it. Because of this, it’s essential to understand the security failures of others to prevent a hack from happening in the first place.
While marketplace security teams might be able to help you in some cases, especially if they are at fault, the responsibility almost always lies with the user. To better equip yourself to keep your assets secure, get educated. Read about common scams, learn how to identify red flags, and above all else, implement the safety measures outlined in this guide or otherwise set forth by trusted members of the NFT community ASAP.