Author: Rhythm Institute, NFT Labs
The world of Crypto is like a dark forest, and there may be countless crises lurking around you. A few days ago, a hacker took advantage of the OpenSea contract upgrade to send a phishing email to the mailbox of all users, and many users mistakenly used it as an official email and authorized their wallets, which led to wallet theft. According to statistics, this email caused at least 3 BAYC, 37 Azuki, 25 NFT Worlds and other NFTs to be stolen, and according to the floor price, the hacker's revenue has reached 4.16 million US dollars.
Just today, 1 MAYC and two Doodles held by Jay Chou have been stolen one after another; the top NFT project BAYC and the Discord community of Doodles have been hacked at the same time, and the losses caused by hackers have not yet been determined.
Today, the hacks we need to guard against are not only technical, but also from social engineering, coupled with the rising prices of many NFT projects, and if you are not careful, you will lose huge assets. In view of the recent frequent occurrence of fraud in the field of NFT, Rhythm has summarized several common types of fraud methods, and I hope that readers will always be vigilant and not be deceived.
Scams:
1. Link through Discord Private Message Scam Website
Discord private message link is a commonly used method of hacking, hackers often through discord different community batch private message members, or impersonation of community administrators to help solve the problem as the reason for private message users, to deceive the wallet private key. Or send fake phishing sites telling users to pick up NFTs for free, etc. Once a user authorizes a fake website that is copied by hackers, it will bring huge losses to the user.
2. Attack the Discord server
The Discord server is hacked almost every hot NFT project will experience things, hackers will attack the server administrator's account, and then publish fake announcements on various channels of the server, tricking community members into going to the fake website that hackers have long built to buy fake NFTs. Today's hackers will swindle the token of the server administrator by sending fraudulent websites, so that even if the administrator turns on 2FA two-factor authentication, it will not help. If the scam website built by hackers will require the authorization of the user's wallet, it will bring more serious property damage to the user.
3. Send fake transaction links
This type of scam is common in the NFT transaction process where the scammer negotiates privately with the user. Trading platforms such as Sudoswap and NFTtrader encourage users to "exchange" each other's NFTs or tokens through private consultations, and these platforms also provide security for privately negotiated transactions, which is a good thing for the NFT market, but now hackers have begun to scam through imitation Sudoswap and NFTtrader websites.
Sudoswap and NFTtrader require the user to initiate a transaction after the negotiation is completed, which generates an order confirmation website, and the transaction is automatically carried out through a smart contract after confirmation by both parties. At the beginning, the scammer will pretend to negotiate with you which NFTs to exchange, and first show you a real website link, then propose to modify the transaction, after the trader lets his guard down, the scammer will send a scam link, after the user clicks to confirm the transaction, the corresponding NFT in the wallet will be sent to the scammer's wallet.
4. Fraudulently obtaining auxiliary words
Scammers will induce users to send private keys or mnemonics to themselves through various means, such as building fraudulent websites, pretending to be administrators to help users, etc. All kinds of behaviors are to reduce the user's vigilance and wait for opportunities to smuggle keys and mnemonics.
5. Create a fake Collection and seek deals on the project's Discord public channel
Fake NFT collections are the most likely to come across before many popular projects go on sale. When the NFT blind box is officially launched, the scammers will upload a similarly named NFT collection on the NFT trading platform such as OpenSea in advance, and "decorate" the collection in advance through the information released by the official. When a true NFT collection is not online, users will first search for the collection with the closest name. Some crooks send Offer bids to fake NFTs of current pending orders in order to convince users that they will also make several transactions.
In order to save the royalties of the platform and the project side, community members will conduct private transactions between them, in addition to the above-mentioned imitation of Sudoswap, NFTtrader websites, there are also scammers by sending fake NFT collection links on community channels that are slightly below the floor price. Users are often deceived by ignoring the authenticity of NFTs when they rush to buy NFTs below the floor price.
6. Fake mail
Most NFT platforms require users to bind mailboxes so that users can know their NFT transactions in the first place, so mailboxes have become a gathering place for fraud. Scammers often disguise themselves as the official accounts of the OpenSea platform and send phishing links to users on the grounds that the contract address needs to be modified or the wallet needs to be re-verified. Recently, after OpenSea announced the contract upgrade, hackers defrauded users of nearly $4 million in this way. As of the writing date, the OpenSea team is still troubleshooting compromised users.
Anti-scam guide
1. URL screening
No matter what kind of fancy packaging the hacker uses, and how confusing the language description you have, when he eventually steals your crypto assets, there will always be a way to interact with your wallet. The average user may not have the ability to discern contract risks, but fortunately, we are still in an Internet world dominated by web2. Almost all crypto contracts require the use of a web2 front-end web page to interact with the user.
As a result, almost the vast majority of crypto asset theft for users (not project parties) occurs on top of phishing sites. And once you know how to identify phishing sites, it will be enough to help you avoid 99% of crypto asset theft.
For Gen Z, who grew up with smartphones, they live in the "ecology" created by one app after another, and may have neglected to understand the old thing of the web page. In the web2 era, the DNS domain name system gives each website a unique identity of the whole network, and understanding the basic rules of domain name composition will be enough to deal with almost all fake phishing websites.
In traditional DNS domain names, the domain name hierarchy is divided into three levels. Read from right to left starting with the first delimiter (/), separating each period by a level. Take https://www.opensea.io/ as an example". io" and ". com」、「. cn" and so on, called top-level domains, this field is not customizable. "opensea" is called a second-level domain name, that is, the body of the domain name, and this field cannot be duplicated under the same top-level domain name (such as .io). The "www" section is a third-level domain name, which can be set by the website operator. Even operators can continue to add fourth-level domain names and fifth-level domain names before "www".
The hierarchical order of domain names is counterintuitive: that is, the hierarchy is gradually decreased from right to left. This design is the opposite of most people's reading habits, and it also gives attackers an opportunity to take advantage of it. For example, https://www.opensea.io.example.com the address is highly similar to the opensea address, but its actual domain name is "example.com" instead of "opensea.io".
Whether there will be any phishing attacks on Web3 is difficult to predict. But in the world of Web2, the DNS domain name system ensures the uniqueness of domain names (or URLs), and it's almost impossible for users to open fake websites when they're real.
2. Do not disclose private keys or mnemonic words
Crypto wallet is not like Web2 email and other accounts, private keys and mnemonics can not be modified, retrieved, once leaked means that the wallet will belong to you and the hacker at the same time, all the assets in your wallet can be transferred by hackers at any time, and due to the anonymity of the Ethereum address, you can not find out who the hacker is, the loss naturally can not be recovered, the wallet can not continue to use.
3. Cancel the wallet authorization in time
If you have authorized your wallet on a scam website, you can go to the following three addresses in time to check the authorization of your wallet and cancel it in time:
https://etherscan.io/tokenapprovalchecker
https://revoke.cash/
https://debank.com/
![The metaverse has not yet been warmed up, what is the ghost of Web3?[fig]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)