NFT fraud. What are the schemes and how to protect yourself

Cryptocurrency fraud or scams, including non-fungible tokens (NFTs), are becoming increasingly sophisticated. On July 12, users of the decentralized exchange Uniswap were subjected to a phishing attack, which resulted in a loss of about $4,6 million in ETH. A malicious token was sent to users' wallets and offered to exchange it for the official Uniswap exchange token (UNI). However, after confirming the transaction, the tokens from the wallet went to the attackers.

Mass interest in the crypto industry has made communities of popular projects vulnerable to phishing attacks. A single file download can make you a victim of cybercriminals. According to a report by research group Top10VPN, NFT fraud resulted in a loss of $52 million in the first four months of 2022 alone, compared to less than $7 million for all of 2021.

Types of fraud

Rug Pull is a type of fraud in which developers drop a project, fail to deliver on promises and take investors' money. The name comes from the phrase “pulling the rug out.” According to a common scheme, the developers release and advertise the NFT collection and create a roadmap for the project, which describes its future development. After investors buy NFTs from the collection, the scammers delete social media and leave the project without support, failing to deliver on the promised goals. As a result, investors are left with devalued tokens.

When creating scam projects, influencers from the crypto sphere and media personalities are involved, who are paid to advertise collections in social networks. As a rule, expensive draws and giveaways are arranged in order to cause a stir around the project. A prime example was the popular boxer Floyd Mayweather, who promoted projects such as Ethereum Max, Bored Bunny, and Moonshot on his Twitter. The Mayverse project, which was launched on behalf of the boxer himself and raised $200 000 by selling NFT, also received no development. A well-known Twitter detective in the community, @Zachxbt, released an investigation into each of Floyd's and other celebrities' scam projects.

1/ Well it appears @FloydMayweather has lied to followers once again. His new project @Mayweverse managed to only bring in $193.5k but the anon team has vanished since minting concluded & proceeds have been transferred away. Funny enough there are direct ties to THREE rug pulls https://t.co/HKj9r2QR9w pic.twitter.com/ggn1WlBwnc— ZachXBT (@zachxbt) May 5, 2022

Also one of the high-profile scam projects was Frosties, on which attackers made $1 million, according to the US Department of Justice (DoJ). The two-person Frosties team promised investors tokens, rewards, and early access to a future game. They disappeared along with investors' funds after selling 9 000 NFTs from the collection. The scammers were later found and a criminal case was filed against them.

Phishing is a type of fraud where hackers gain access to user data. It can be passwords, accounts and seed phrases from the addresses. Attackers use malicious links on fake sites, imitating pages of famous crypto-projects, or send emails on their behalf. The method of creating fake sites for releasing (minting) NFT has become widespread. Fraudsters send messages to subscribers of popular social networks on behalf of the project team. In the mailing they offer tempting conditions, such as a discount on the purchase of NFTs with a link to the phishing site. If an attempt is made to mint NFT through a malicious contract, the victim loses their funds on the connected wallet.

One of the victims of the phishing attack was popular NFT artist Mike Winkelmann, known as Beeple. On May 22, the attackers hacked into his Twitter and posted links to the minting of a fake NFT collaborative collection with Louis Vuitton in a series of tweets. They also posted an “exclusive” work by the artist, which Beeple had allegedly not written about before. The hackers managed to get $438 000 worth of ETH from the artist's gullible subscribers.

Pump & Dump is a manipulative scheme to raise the price of NFT followed by a price collapse. Fraudsters use social media, celebrity support, and false information to create a stir around NFT and raise the price of tokens. Large asset owners artificially increase the value of assets (pump) in order to sell them later to interested investors. As a result, the value of the asset decreases or depreciates (dump) and investors lose money.

Read more about the Pump & Dump scheme in the GetBlock Magazine’s article.

Another celebrity spotted advertising fraudulent projects was Logan Paul, an actor and blogger with 23 million subscribers on his YouTube channel. He advertised such projects as Dink Doink NFT, Crypto Zoo, EMAX and Maverick. Logan advertised tokens on his Twitter account, after which they rose in value, but at one point the value plummeted.

Fake collections is a scheme in which fraudsters steal the work of famous artists. Their works are displayed on major NFT marketplaces. Buyers mistakenly believe they are investing in an original work of art, when in fact it is only a fake. In April 2021, fraudsters sold artwork of the deceased artist Qinni in this way, after which her brother tweeted that no one from her family was involved. Another victim was the concept artist who worked on the movie Detective Pikachu, RJ Palmer. His popular work depicting a pokémon was stolen from him and put up for sale.

To protect yourself from fake NFTs, it's worth checking the artists' official social media sites for announcements of upcoming sales. Most well-known trading sites have already introduced mandatory verification for authors.

Insider trading is a scheme in which fraudsters have access to confidential information and use it to enrich themselves. It is not a common scheme because it requires access to exclusive information owned by a limited circle of people.

Such information was used by former OpenSea platform product manager Nathaniel Chastain. He knew which NFTs would be placed on the main page of the marketplace, and bought tokens from collections that would be the focus of customers in advance. The former employee managed to resell 45 NFTs in this scheme. He faces up to 20 years in prison.

What to pay attention to when choosing an NFT-project

The best way to avoid falling for the tricks of fraudsters is to study the project carefully before investing in it. Study the team of the project, because the reputation of the collection depends on it. As a rule, artists and collection creators do not hide their personalities, it is easy to check them on social media, the team members communicate openly with the community. If the team is anonymous and does not interact with the users, it often indicates a possible scam of the project in the future.

It is worth paying attention to the quality of project development. Starting from the project website, to the design of social networks and the collection itself. If all the details are done professionally, it increases the credibility of the team.

One important component is the project roadmap. It details goals and strategies for long-term value. If the roadmap looks too unrealistic, it can be a sign of a questionable project. Promising roadmaps are often used in Rug pull schemes to get community attention. To reduce the risk of losing money, preference should be given to roadmaps with realistic goals that are detailed and planned out.

If the project is successful, it is worth looking at the liquidity ratio. This is the ability of assets to be sold quickly at a near-market price. If the NFT-project has low liquidity, it may be difficult to convert the token into another asset. The main indicator of liquidity is trading volume. High volume indicates that the collection is traded by many interested users, you can sell the NFT on the secondary market without any problems.

Security recommendations

To secure your tokens, you should carefully check the domain of the site to which the wallet is connected. Often phishing sites request a transaction signature that transfers funds to attackers. You need to pay attention to what site the request to sign the transaction in the wallet comes from. If there are doubts about the reliability of the site and it looks suspicious, you should refuse and not approve the transfer.

Phishing sites can lure victims out of their wallets under any pretext. It's worth remembering that no legitimate site will ever ask you for a seed phrase to restore your wallet, and it should not be shared under any circumstances. Having the seed phrase and using special software, a hacker can pick the password to the wallet, which will also lead to its emptying.

Before buying NFT, it is worth making sure that the announcement and links to the marketplaces are placed in the real accounts of the creators. If you see a tempting giveaway of free tokens or an offer of NFT minting at a discount in one of the accounts, it does not hurt to check the other social networks of the project. Maybe one of the sources was hacked, and the developers of the project have already written about it.

Every day the sphere of NFT is developing, there are more and more new projects, so it is important to be wary of common types of scams and understand how they work. NFTs always involve a certain risk, but the ability to recognize the potential threat will help reduce the likelihood of becoming a victim of fraud and protect your assets.

Major marketplaces are already implementing solutions to protect against plagiarism, intellectual property infringement and fraud. At the same time, the responsibility for the safety of funds always lies with the owner in the first place.