Written by: Rhythm Research Institute, NFT Labs
The world of Crypto is like a dark forest, and there may be countless crises lurking around you. A few days ago, a hacker took advantage of the upgrade of the OpenSea contract to send a phishing email to all users’ mailboxes, and many users mistakenly took it as an official email and authorized their wallets, which led to wallets being stolen. According to statistics, this email caused at least 3 BAYC, 37 Azuki, 25 NFT Worlds and other NFTs to be stolen. Based on the floor price, the hacker’s income has reached as high as 4.16 million US dollars.
And just today, one MAYC and two Doodles held by Jay Chou were stolen one after another; the top NFT project BAYC and the Discord community of Doodles were hacked at the same time, and the losses caused by the hackers have not yet been determined.
Today, the hacker attacks we need to guard against not only exist at the technical level, but also come from social engineering. In addition, the prices of many NFT projects have risen, and if we are not careful, we will lose huge amounts of assets. In view of the frequent occurrence of fraud in the NFT field recently, Rhythm has summarized several types of common fraud methods, and hopes that readers should always be vigilant and not be deceived.
Fraud:
1. Scam website link via Discord private message
Discord private message links are a common method of deception by hackers. Hackers often send private messages to members in batches through different Discord communities, or pretend to be community administrators to private message users on the grounds of helping solve problems, and defraud wallet private keys. Or send a fake phishing website, telling users that they can receive NFT for free, etc. Once the user authorizes the fake website copied by the hacker, it will bring huge losses to the user.
2. Attack the Discord server
The hacking of the Discord server is something that almost every popular NFT project will experience. Hackers will attack the account of the server administrator, and then post fake announcements on various channels of the server, deceiving community members to go to the fake website that the hacker has built for a long time. Fake NFTs. Today's hackers will defraud the server administrator's token by sending fraudulent websites, etc., so even if the administrator turns on 2FA two-factor authentication, it will not help. And if the fraudulent website built by the hacker will require the authorization of the user's wallet, it will bring more serious property losses to the user.
3. Send fake transaction links
This type of deception is common in the NFT transaction process in which scammers negotiate privately with users. Trading platforms such as Sudoswap and NFTtrader encourage users to "exchange" each other's NFT or tokens through private negotiations, and these platforms also provide security for privately negotiated transactions. This is a good thing for the NFT market, but Now some hackers have begun to defraud through fake Sudoswap and NFTtrader websites.
Sudoswap and NFTtrader require users to initiate a transaction after the negotiation is completed. This step will generate an order confirmation website, and the transaction will be automatically carried out through the smart contract after confirmation by both parties. At the beginning, the scammer will pretend to negotiate with you which NFTs to exchange, and first show you a real website link, and then propose to modify the transaction. After the trader relaxes his vigilance, the scammer will send a fraudulent link. After the user clicks to confirm the transaction , the corresponding NFT in the wallet will be sent to the scammer's wallet.
4. Cheat mnemonic words
Scammers will use various means to induce users to send their private keys or mnemonic words to themselves, such as building a fraudulent website, pretending to be an administrator to help users, etc. All these behaviors are to reduce the vigilance of users and wait for opportunities to defraud private keys and mnemonic.
5. Create a fake Collection and seek deals in the project's Discord public channel
Fake NFT collections are the easiest to encounter before many popular items are released. Before the NFT blind box is officially launched, scammers will upload NFT collections with similar names on NFT trading platforms such as OpenSea in advance, and beautifully "decorate" this collection through the official information released in advance. When the real NFT collection is not online, users will first search for the collection with the closest name. Some scammers send Offer bids to fake NFTs that are currently pending orders in order to convince users that they will create several more transactions.
In order to save the royalties of the platform and the project side, private transactions will be conducted among community members. In addition to the imitation of Sudoswap and NFTtrader websites mentioned above, there are also scammers who send fake funds slightly lower than the floor price on the community channel. NFT collection link. Users are often deceived by ignoring the authenticity of NFTs when rushing to buy NFTs below the floor price.
6. Fake emails
Most NFT platforms require users to bind their mailboxes so that users can know the transaction status of their NFTs at the first time, so mailboxes have also become a gathering place for fraud. Scammers usually pretend to be the official account of the OpenSea platform, and send phishing website links to users in such ways as contract address needs to be modified or wallet needs to be re-verified. Recently, after OpenSea announced the contract upgrade, hackers defrauded users of nearly $4 million in this way. As of the date of writing, the OpenSea team is still troubleshooting compromised users.
Anti-Scam Guide
1. URL screening
No matter what fancy packaging the hacker uses, and how confusing the language description is, when he finally steals your encrypted assets, he always needs a way to interact with your wallet. Ordinary users may not have the ability to identify contract risks, but fortunately, we are still in an Internet world dominated by web2. Almost all encrypted contracts need a web2 front-end webpage to interact with users.
Therefore, almost the vast majority of encrypted asset theft for users (rather than project parties) occurs on counterfeit phishing websites. And once you understand how to identify phishing websites, it will be enough to help you avoid 99% of encrypted asset theft.
For Generation Z who grew up with smartphones, they live in the "ecology" created by one app after another, and may have neglected the old thing of web pages. In the web2 era, the DNS domain name system gives each website a unique identity on the entire network. Knowing the basic rules of domain name composition will be enough to deal with almost all fake phishing websites.
In the traditional DNS domain name, the domain name hierarchy is divided into three levels. Reading from right to left starting with the first separator (/), each period separates a level. Take https://www.opensea.io/ as an example. ".io" is similar to ".com" and ".cn", which are called top-level domain names, and this field cannot be customized. "opensea" is called the second-level domain name, that is, the subject of the domain name, and this field cannot be repeated under the same top-level domain name (such as .io). The "www" part is a third-level domain name, and the website operator can set this field by himself. Even operators can continue to add fourth-level domain names and fifth-level domain names before "www".
The hierarchical order of domain names is counter-intuitive: from right to left, the hierarchy decreases. This design is exactly the opposite of most people's reading habits, and it also gives attackers an opportunity. For example, although the address https://www.opensea.io.example.com is highly similar to the opensea address, its actual domain name is "example.com" instead of "opensea.io".
It is still difficult to predict whether there will be phishing attacks on Web3. But in the Web2 world, the DNS domain name system ensures the uniqueness of domain names (or URLs), and it is almost impossible for users to open fake websites when the domain name is true.
2. Do not disclose private keys or mnemonic words
Crypto wallets are not like Web2’s e-mail and other accounts. The private key and mnemonic cannot be modified or retrieved. Once leaked, it means that the wallet will belong to you and the hacker at the same time. All assets in your wallet can be transferred by hackers at any time , and due to the anonymity of the Ethereum address, you cannot find out who the hacker is, and naturally the loss cannot be recovered, and this wallet can no longer be used.
3. Cancel wallet authorization in time
If you have authorized your wallet on a fraudulent website, you can go to the following three addresses to check the wallet authorization status and cancel it in time:
https://etherscan.io/tokenapprovalchecker
https://revoke.cash/
https://debank.com/
