A lot of newcomers to Web3 and even many veterans are sitting ducks for scammers. But here’s the thing about Web3:
You can’t hack the blockchain.
Yes, you heard that correctly. It is currently not possible to “hack” a blockchain address and steal the digital assets it holds.
This is good news in the sense that malicious actors cannot simply steal your NFTs or crypto from your wallet. Providing that you have kept your private key and seed phrase as securely stored as possible, your assets are safe.
This is also bad news, in some ways. Why? Because if you accidentally send assets to the wrong address, there’s technically no way to revert the transaction or open the receiving address and get them back. Since blockchains are decentralized networks with no central, governing authority, there’s also no help line for support or administrative body that can recover your assets for you.
How do scammers steal NFTs and crypto?
Since they can’t simply hack your blockchain address and take them, scammers have to be a bit more creative about how they steal your assets. There are two main ways they do this:
- They gain access to your private key or seed phrase and transfer the funds out of your wallet. (For example, they acquire your Metamask private key through hacking your computer and use it to access your wallet).
- They trick you into signing a transaction allowing them to transfer the funds from your wallet.
In both cases, once they have successfully transferred your assets away from your wallet, there’s very little chance you’ll be getting them back.
How to keep your NFTs and crypto safe?
Keeping your NFTs, crypto, and other blockchain assets safe, therefore, requires you do two things:
- Keep your private keys and/or seed phrases out of the hands of the bad guys.
- Avoid signing any transaction that could give them control of your assets.
The only problem is, scammers are smart, and they are constantly finding new ways to trick you into either giving them your sensitive data, or signing a transaction that will allow them to drain your wallet.
So you have to be smarter. Here are a few tips that will help you keep one step ahead of the bad guys and keep your wallet safe.
- NEVER mint using the wallet that holds your NFTs and crypto.
This one will eliminate a lot of danger in and of itself. You should store your blockchain assets in a completely separate wallet (ideally a “cold wallet,” more on this below) from the wallet you use to mint new NFTs. Only keep as much crypto in the wallet you use to mint as you’ll need to cover the gas fees for minting. This way, if you somehow make a mistake, there’s almost nothing to be stolen, as the wallet you’re minting from is practically empty (except for the small amount of crypto you’ll need to cover gas fees).
- Always check that the blockchain address of the smart contract you are minting from is the same as the one displayed on the OFFICIAL website or Discord of the collection you are minting from.
One of the oldest tricks in the book is making an exact replica site of a popular NFT collection. The only difference being, when you click “mint,” you are minting from a completely different smart contract, with malicious code that will drain your wallet as soon as you sign the “mint” transaction.
How to avoid this one?
Double, triple, and quadruple check that the website you are minting from is the official website of the collection you’d like to mint. If it’s somehow difficult to verify, find the official collection on OpenSea and make sure its smart contract address corresponds exactly to the smart contract you’ll be minting from.
We can’t overemphasize the importance of this enough: one wrong click, one signed transaction, and the scammers can instantly drain everything your wallet holds. Ofcourse, as we said in tip #1, your minting wallet should hold almost nothing, but combining both methods will eliminate a huge amount of risk involved in Web3.
- Be constantly vigilant for malicious links.
One particularly active and high-profile NFT community member recently had his entire computer hacked by clicking a malicious download link for a piece of well known and widely used software. Instead of double-checking the site he was downloading from was the official site, he Googled the name of the software and clicked the first sponsored link.
Within minutes, hackers had gained access to all of his logins, and unfortunately, his seed phrase to his blockchain wallet holding all of his most valuable assets (including some exceptionally rare and valuable NFTs) was stolen, and the wallet drained.
This extremely unfortunate incident should be a cautionary tale to everyone. Even very experienced and well versed Web3 users can fall victim to scammers.
So how to avoid it?
Always double check you are downloading any and all software from the official site of the manufacturer. We highly recommend using a link checker (url checker) to automatically check if a link is malicious. If the link is safe, the tool will give you the greenlight to click it.
There are also various tools that can help check transactions before you sign them such as Pocket Universe. If hackers gain access to your machine and the logins to all of your accounts, they can steal your seed phrase and/or private keys (as well as your stored crypto and NFTs) if you have ever sent them anywhere at any point in time using any of the accounts or the machine being hacked.
Which brings us to our next tip…
- Use a cold wallet.
There are two main types of wallets: hot and cold. We recommend using hardware cold cryptocurrency wallets (such as Ledger). These wallets hold your seed phrase and private key and are not connected to the Internet. They do not export your sensitive info anywhere unless you explicitly ask them to. The hot wallet vs cold wallet argument is simple: Storing your seed phrase backup or private keys on a cold-storage hardware wallet greatly reduces the chance of your data being stolen, even if your device and accounts are hacked. However, even with secure seed phrase storage, you still have to be extremely careful of signing malicious transactions just as you would with MetaMask.
It’s a jungle out there, and hackers and scammers are constantly looking for ways to get access to your data and steal your assets. If you follow the three tips above, you will be reducing your vulnerability to their tactics significantly.If you have any other insights on how to keep your NFTs and crypto safe, we’d love to hear them!
And if you’d like to learn more about launching your own NFT collection, check out some of the most common mistakes made by NFT project founders, our NFT project checklist, and our article about what’s missing in Web3.