In August 2021, a prominent NFT collector called Pranksy paid more than $336,000 for a fake Banksy NFT.
Pranksy first learned about the artwork from a member of his Discord channel. The auction was also advertised on Banksy’s official page.
About an hour after placing his offer, the seller of the NFT was accepted by the seller. But Banksy’s spokesperson told BBC that Banksy wasn’t involved in the creation of any NFT.
Pranksy had been scammed.
As it turned out, Banksy’s site was hacked and the fraudulent NFT auction was advertised, creating the perfect storm for a collector aptly named “Pranksy” to get scammed.
Oddly enough, the hacker returned all the money to Pranksy except for the gas fees of roughly $6,700, only after Pranksy revealed who had shared the auction in the Discord and followed him on Twitter, likely spooking the scammer with fear of inevitable consequences.
However, not everybody has been or will be as lucky as Pranksy when it comes to NFT scammers. Some scammers use technologically sophisticated techniques to exploit security gaps, as happened in the Banksy-Pranksy case, while others aim to gain trust to obtain wallet holders’ private keys.
As the cryptocurrency and NFT ecosystem grows in sophistication, so do the potential avenues for scammers and hackers.
The following guide explores the most common NFT scams and how to avoid them.
A vulnerability of the NFT space is that anyone can mint anything as an NFT. One trick fraudsters use is to mint the artworks of reputable artists without their consent and list them for sale on identically branded pages.
This scam can easily occur on NFT marketplaces where no artist verification is necessary, and in rare cases, imposters manage to verify themselves as the artists whose works they steal. Scammers are always on the lookout for loopholes. So, even on sites with a verification process, they might detect a way to verify, especially if the process is not hard to pass.
One such case happened to illustrator Derek Laufman whose work was sold on the Rarible platform by a verified seller. Laufman learned about the issue when his fans informed him on social media, but only after one fan had already bought the forgery.
Fake Customer Support
Scammers can manipulate you by gaining your trust in online communities. They can easily use fake names, invent phony social channels, and pretend to be the employees of a company.
For those veterans in the cryptocurrency ecosystem, a scammer pretending to be an employee on Telegram or Discord is just another day in the office. However, it might not be as easy for the influx of new art collectors navigating these new channels for the first time,
In August 2021, Jeff Nicholas joined a discord channel to find a solution to a royalties problem he encountered on the NFT marketplace OpenSea. He was invited by a member named “Pascal | OpenSea” to another discord channel called "OpenSea Support Server.” Nicholas didn’t suspect anything. The fake customer support suggested Nicholas share his screen to solve the issue at one point. The screenshot he shared included the QR code synced to the seed phrase of his crypto wallet. Shortly after, around 150 ETH had been stolen from the wallet.
Another victim of this type of fraud was Sohrob Farudi, who lost around 250 ETH worth of NFTs after scammers had deceived him to be the founders of the Bored Ape Yacht Club.
Phishing Emails and Offers
One of the oldest devices of tricksters is sending emails or posts with malicious links aiming to steal your data. This ruse can cheat even the more crypto-savvy among us. In June 2021, famous NFT artist Fvckvender, tweeted about a fraud, which caused him to lose around $4M. After opening a .scr file sent him via DM on Twitter with a virus, his Metamask wallet was hacked.
Be really careful out there I was dumb enough to not overlook this and open their SCR file and got my metamask swiped from à to Z all my tokens gone. They tried to access other app but my 2fa blocked them to. I’m an idiot don’t me an idiot like me and secure your shit. pic.twitter.com/gAins00taH— gmRENDER (@fvckrender) June 11, 2021
Another type of this scam is sending emails with fake offers on your OpenSea NFTs. They come with an OpenSea impersonation and try to bait you into clicking the links, following the steps, and ultimately sharing the private keys of your wallet.
They may also try to scare you with security issues on your OpenSea account to trick you into clicking the embedded link.
Replica and Fake Stores
Replica stores are nearly exact copies of the legitimate NFT stores and marketplaces, using the same logos, similar website layouts, and list the same NFTs as the original stores.
For example, there may be an OpinSea.io as a replica for OpenSea.io or a nftygatwey for a Nifty Gateway.
Some fake NFT marketplaces don’t copy the NFTs of the well-known NFT stores, they seem to be selling unique NFTs that don’t actually exist. For example, you could end up buying a fake BAYC with attributes that don’t exist or simply spending ETH on an NFT that never ends up in your wallet.
Further, these marketplaces could also take personal data like credit card information.
Scam Airdrops and Giveaways
Scammers are always coming up with new phishing tactics. For example, the announcement bot of the Fractal discord channel was hacked. Fractal is a new NFT gaming marketplace founded by Twitch co-founder Justin Kan.
The hacker posted an airdrop announcement on the official channel, and 373 Discord members followed the fake link in the message. Around $150,000 worth of Solana (SOL) was stolen.
Another way fraudsters exploit airdrops is by sending them to public wallet addresses. When wallet owners interact with them, such as listing them for sale or moving them to another wallet, security gaps may arise.
For instance, if you see a suspicious new NFT in your wallet, don’t be so eager to list it for sale– by “approving” the sale in your wallet, you may actually be signing a transaction to spend all of your ETH, or transfer your NFTs, or whatever the maliciously programmed contract intends.
Recently, the OpenSea team announced that they fixed an NFT phishing attempt via malicious airdrops that could have resulted in emptying the victims’ wallets.
Sometimes, the NFT project itself is fake; shortly after it’s launched and backed by the investors, the founders dump their NFT holdings and disappear. This is called rug pull.
For example, a scammer promised his fans to mint 8,000 randomized 3D artwork but instead delivered 20 emojis and ran away with 1,000 SOL. Another well-known rug pull case is Evolved Apes NFT collection, whose creator disappeared with $2.7M.
This type of scam is widespread in the NFT world. It’s estimated that $30M got lost due to rug pulls during September/October 2021 NFT drops.
Final Thoughts: How to Avoid NFT Scams
Safety starts with doing your due diligence. Orient yourself around the legitimate NFT stores and marketplaces like OpenSea, Nifty Gateway, and SuperRare– and follow their corporate communication accounts.
But, keep in mind that many fraudulent acts can also occur on these sites; OpenSea may be the largest NFT marketplace, but since anyone can create and sell NFTs here, the risk remains.
This doesn’t mean unverified collections are not necessarily illegitimate, but you’ll likely be safer purchasing from verified accounts.
Don’t forget even if the artists and collections are verified, there can still be fraud. You must do in-depth research before investing in an NFT project.
Word of mouth goes a long way, but it’s not a foolproof system.
Be part of the watchdog crusade against scam projects; when you observe suspicious activity, you can report it here on OpenSea.
Be very careful about how you use your crypto wallets. Only sign on those websites which you trust.
When you move NFTs from one wallet to another, always check if the pasted address is exactly the same as the copied one, as some malware can copy and paste a scammer’s address before you send.
Use two-factor authentication (2FA) to log into wallets, exchanges, and NFT stores to add another layer of protection against hackers and phishers.
Frauds may happen in every social and community channel. Be careful whom you deal with. Question every link, think multiple times before clicking.
As the Fractal team shared in an article after the recent airdrop scam, “there’s no undo button in crypto.”
And most importantly, never ever share your private key with anyone. No customer support agent anywhere will ever ask you for your private key, and if they do, you should refuse and use a different service that takes their customer’s funds more seriously.