Top 5 NFT Scam Attempts to Watch Out For in 2022

Top 5 NFT Scam Attempts to Watch Out For in 2022

Where there is massive financial opportunity, there are malicious actors, and recently scams have plagued the NFT industry.

Unfortunately, the sophistication and effort of the recent scams has been sufficient to take down both industry veterans and new participants.

In this piece, we'll explore some of the recent NFT scams and share what we know about the attack vectors and vulnerabilities.

1. New: ApeCoin Scams

On March 17, 2022, Yuga Labs, the founders of Bored Ape Yacht Club, opened the claim for ecosystem token, ApeCoin ($APE).

This claim though opened a new attack vector and opportunity for NFT scammers.

Here's how it works.

First, bad actors purchase verified Twitter accounts that have been compromised or had previously leaked credentials.

Next, they tweet out phishing links to a fake ApeCoin claim.

Because the account is verified, unsuspecting users gain a sense of leigitimacy, and those who act in haste rush to connect their wallet to a fake site.

After connecting, users sign a message and approve a call function which allows the scammer to gain access to their tokens, draining wallets that contain NFTs and more.

2. Reused: Ape Animation Scam

Another scam, this one specifically targeting holders of a Bored Ape Yacht Club or Mutant Ape Yacht Club NFT, has resurfaced and recently affected @BlackAppleArt on Twitter.

The scammer provides a link to a website that promises to create an animated version of a Bored Ape Yacht Club or Mutant Ape Yacht Club NFT. 

Once again, upon connecting and finalizing a token approval transaction, the scammer gains access to the respective NFT and perhaps more from the participant's wallet. 

In this instance the scam was purported by another verified Twitter account that was previously compromised. 


3. New: Google Doc Scam

Last week, Twitter user @Arthur_0x had his wallet drained of likely millions of dollars in assets.

Arthur is the founder of DeFiance Capital, a crypto venture fund focusing on DeFi and Blockchain gaming. This is important because it indicates that even those with an immense amount of crypto and NFT experience can fall victim to these scams.

In this example, Arthur first received what appeared to be a typical email with a Google Doc attachment entitled “A Huge Risk of Stablecoin (Protected).docx." When you receive an email that appears to be from a trusted source or a relevant party, this is known as spear-phishing. 

In this case of a spear-phishing, Arthur isn't alarmed when he receives an email with an investment thesis or research paper regarding stablecoins, as he is a venture capitalist in the crypto space. 

Unfortunately though, it is likely the hacker was able to get confidential information out of Arthur as a result of him engaging with this malicious document.

While the details are sparse, Arthur also alleges that this attack was done by the Lazarus Group, a cybercrime unit that is run by individuals for the North Korean state.

4. Reused: Airdrop Scam

Another scam that has returned involves an airdropped NFT that is designed to look like it came from a legitimate collection.

Here's how it works.

First, a user is airdropped an NFT to their wallet by the attacker. For example, recently an account named "Gutter Punks Flyer" minted NFTs to the wallets of Azuki and Invisible Friends holders.

From these NFT collections, the user is then drawn to click a link to a website feigning to be from the real collection. From here, any interaction or token approval from the participant to the bad actor puts all the users funds at risk. 

Fortunately, most fake collections are now automatically sent to the "Hidden" folder within a user's OpenSea profile. However, if needed, a user can send an NFT to their hidden folder by selecting "more options - hide" inside their OpenSea profile. 


5. Reused: Discord Hack NFT Scams

A Discord hack is the most common scam in the NFT industry.

Despite the abundance of incidents, many web3 participants still fall for these. As recently as this week, both the MekaVerse and Capsule House Discords were attacked.

In most cases, like the Capsule House hack, the scammer disables the team's ability to respond to the hack and creates a fake mint site for a "new" or "stealth mint."

Instead of minting though, users are generally just sending ETH to the hacker's address, with no NFT return.

At Lucky Trader, we want all of our users to enjoy success in the NFT space. To learn more about how to protect yourself, check out our post on how to stay safe from NFT scams

Disclaimer: The author or members of the Lucky Trader staff may own NFTs discussed in this post. Furthermore, the information contained on this website or the Lucky Trader mobile application is not intended as, and shall not be understood or construed as financial advice. AI may have assisted in the creation of this content.