Welcome back to the second part of our Web3 introduction series. After we went over the basic definitions and concepts of blockchains, crypto, and Web3 in part 1, we now want to teach you important skills to not get ‘rekt’ (destroyed) in this space. Hence this scams and dangers guide.
If you are totally new to the world of blockchains, decentralization, and crypto please head over to our Web3 beginner’s guide first. The beginner guide will teach you the general basics and terminology that are needed to understand what this second part will be all about.
Disclaimer: This article is not about finances, but about security measures, you should take when interacting with this technology.
#1 The easiest way to get rekt in crypto: wreck yourself!
New technologies always bring new hurdles and stumbling blocks, especially for beginners. This is definitely true for the Web3 and crypto space, as a lot is still rather new and uncharted. Good guides and safety measures are still rare to come by. This is why we gathered our personal knowledge of the most common traps and scams that you will come across eventually when interacting with crypto and web3 applications.
1.1 Losing access
For every blockchain like Ethereum or Binance Smart Chain, different wallets exist that allow you to store your tokens and execute your transactions. In most cases, you don’t have to give any information about yourself to create such a wallet. By default it is simply is an anonymous address that allows you to send and receive tokens or sign messages.
The wallet is to Web3 what the Web Browser was to Web1. If you are unfamiliar with how wallets work, check out our Guide for rookies.
In order to protect yourself, always remember: you are entirely responsible for your wallet.
There is no customer support, no password recovery, or similar.
When you’re creating your wallet, make sure that you have your seed phrase saved on different SECURED locations, best offline.
Once your wallet is set up in a browser, you can access it through password login and don’t have to use your seed phrase again.
On centralized exchanges, there is at least a chance to get control back over your account, as it is registered to your name and ID. This makes centralized exchanges often the best place for beginners to get some routine handling crypto assets and transactions.
1.2. Giving away your seed phrase
NEVER SHARE YOUR SEED PHRASE OR PRIVATE KEY WITH ANYONE.
The only reason you will ever enter your seed phrase is to RECOVER your account if you lost access to it. And you only do this on the wallet software itself. On the MetaMask website, or their browser extension for example. Never show anybody your seed phrase and never enter it on any third-party website or tool. Somebody is asking you for your seed phrase? He/she is a scammer 101% of the time.
The same is true for your “private key”. Most wallets allow you to export a private key with which you can re-import an account on a different device. NEVER share this key with anyone.
Everybody that has access to your seed phrase or private key can empty your account. It’s not only like giving them the pin to your credit card – more like giving your ID & phone number so they can empty the entire god damn bank account 🤯
1.3. Sending a transaction to the wrong address
This is a classic in every finance industry: “Oops, I used a 6 instead of an 8”. This error is most of the time not that serious in traditional banking, as you can undo transactions and talk to your bank. But if this happens to a blockchain transaction… yes you guessed right, you wrecked yourself again.
On-chain transactions cannot be undone, changed, or manipulated. Once you accept the processing of your transaction, it is irreversible. The only way to get it back? The receiver has to pay close attention and be nice enough to send it back to you – so your chances are rather small.
The same can also be said for the amounts that you’re sending. Always review twice if the amount you’ve entered is correct.
You don’t want to fat-finger 🤞
1.4. Using the wrong protocol or network for a transaction
For the sake of keeping things simple, we will combine a bunch of mistakes together.
Just keep in mind, that different blockchains cannot simply interact with each other. Even if they are based on the same platform like the Binance Chain and Binance Smart Chain.
The same can be true for different networks or sidechains that supplement a blockchain. They might be based on the main blockchain but often require you to convert (bridge) your transaction.
Always make sure that you are sending your tokens to a wallet that also accepts this kind of token. Or otherwise, they will be lost.
When in doubt ASK ASK ASK. Nobody will be mad at you for being paranoid and double-checking.
Special Note: This is also true for centralized exchanges! Some exchange platforms might not accept tokens that were sent through smart contracts from other exchange platforms. For example, if you send your money from Binance-exchange straight to the Bitpanda-exchange, your money might be gone or get locked.
#2 Other ways to get rekt in crypto: scammers!
Unfortunately, as the crypto space is growing and more people join in, scammers and fraudsters come up with new ways to steal your assets. We will try to give you an overview of the most common tricks and methods. But be aware that this list will never be complete and might be outdated tomorrow!
2.1. Malicious airdrops
This technique is still pretty young and many people are not aware of it yet. One downside of your wallets being visible and addressable is, that literally everybody can send you tokens or NFTs to your wallet. Generally, this is not a big problem, because you can simply choose to ignore these tokens…
…However, there are ways for scammers to send you tokens, that will allow them to execute transactions with your account once you interact with their tokens. You could compare it to a trojan that lets hackers access your computer once you open that malicious file and interact with it.
(To check which tokens currently are on your address you can use explorer websites like Etherscan)
Bad news: You cannot do a single thing to block the incoming transactions from scam-tokens or scam-NFTs.
Good news: As long as you don’t directly interact with them, they can’t do anything to your account.
Similar to the trojan being in your e-mail. You can’t stop them from sending it, but you are not forced to interact with the trojan.
Whenever you are searching Twitter for information be aware that many scams buy fake accounts with thousands of followers to look real. Don’t get blinded by superficial vanity metrics.
There is another, similar attack, called a Dusting attack, which hackers can use to track your wallet activity. More information on Dusting attacks here.
2.2. Direct messages on Discord or Twitter
Once you start to become active in the crypto world, you will someday end up being active on Twitter and Discord servers too.
And let us be clear on this lesson: If you are an unknown guy, never respond to Discord or Twitter DMs from people you don’t know. Just don’t. Chances are 99,99% that this person is trying to exploit your benevolence in one way or another. They either want money, send you scam links, or want to gift you scam tokens/NFTs.
blablabla! Don’t even read it. Straight up report as spam and delete.
2.3. Fake Platform emails
Apparently – and not surprisingly – scammers started to send fake emails with offers for your NFTs on various market platforms. As with any other email, always make sure that the emails were sent from the official platforms. If in doubt, don’t click on the link in the email and check the website itself.
Reminder: Noone will ever ask you to give away your seed phrase or give them access to your wallet!
2.4. Cancel listing/price changing
A rather new method that is used especially on the NFT marketplace Opensea is to list an NFT at a very cheap price. Shortly after that, they change the price while another user is in the process of buying said NFT. We saw this happen many times, and generally, it goes down like this:
Scammer: Lists NFT for 2ETH and then lowers the listing price to 0.2ETH
You: Discover the nice price, click on buy now
Scammer: Cancels the low price and the price changes back to 2ETH in the meantime
You: Get redirected to your wallet to sign the transaction and didn’t realize that the amount changed
You: cry a lot (only if you had enough funds in your wallet)
Took personal offense about the person trying to scam people on OS by cancel listing. So i botted his floor listings and sniped them 10x under what he was trying to get people to spend
he walked into the lions den and lost🤝
— bender (@0xBender) October 3, 2021
You could compare this tactic to a scam in the “real world”: You are about to pay your dinner with your credit card at the restaurant. The waiter is billing you 83$ instead of 38$ last second before you pay. If you don’t double-check while entering your pin, you got tricked.
2.5. Buying/minting new projects
Buying/minting new projects truly is a double-edged sword. On the one side, you can make big profits by investing very early in a promising project. On the other side, it is really hard to tell if a project is actually legit or only a cash-grab/scam. A lot of beginners start losing money by investing in new projects because they think that this is the place to be “still early”. If you want to gamble and take risks, this is fine. In any other case, stay away until the project has evolved into a solid foundation with utility. A huge majority of the projects we see today will be gone within the next months or years – so choose wisely.
Also, always keep your eyes peeled for imitators. Every new project has copycats almost immediately. Both with fake websites and fake collections on the market platforms. If you’re browsing OpenSea for example, always look out for the blue checkmark.
One owner, low price, no activity – 100% not an official collection
2.6. Gifting seed phrases
If you ever come across someone else’s seed phrase: don’t use it. Chances are that the accounts are charged with a decent amount of different tokens, and technically you could steal all those tokens for yourself.
BUT! This is a scam every single time. Long story short, these accounts could be charged with tokens, but not with the coins (Ethereum e.g.) that are needed to actually send those tokens to you. So you would have to send a little amount of Ethereum first to this address in order to withdraw the other tokens. Once you send your coins to the wallet they will be redirected instantly by a smart contract from the scammer. Now you lost your coins and didn’t get any tokens ⚰️.
2.7. Fake wallet websites
This topic is actually straightforward: Scammers are paying a lot of money to promote their fake websites on the top results on Google. If you are going to install a Web3 wallet on your device always make sure that it is the official website. The first result in your Google search doesn’t have to be the official page, as ADS by scammers might be shown first to you!
2.8. “Rug Pulls” & empty promises
To be completely honest, this topic could be its own elaborated article. But here is a short summary of this common scam practice.
You could define rug pulls as a malicious scheme in which the project developers abandon the project and run away with your (the investors’) funds. Sometimes they run away, but sometimes they want to slowly bleed the community dry with ongoing secondary sales until the price finally reaches zero.
Rug pulls come in many forms, depending on the project and industry. What most of them have in common though is that you can spot some red flags most of the time.
#3 Crypto & NFT red flags 🚩
To round up this crypto and Web3 danger guide we would like to give you tips on how to some of the more obvious red flags for yourself. Without the necessity of being a crypto expert. Having decent crypto and programming knowledge will come in handy for this. But often it is not even necessary to dig this deep.
1. Social proof/authority
Did you find the project because hundreds or thousands of small Twitter and Discord accounts pop up everywhere and shill (promote) this new project? Or are so-called “influencers” shilling the project even though nothing really happened and there is no utility to be found? BIG RED FLAG! Good projects generally don’t need this kind of dubious marketing, as the news will spread naturally.
2. Copied design & approach
The website, app, or even NFT kind of look similar to hundreds of others you already saw? Again this is a huge warning signal, as it clearly indicates that the devs rushed the design and didn’t properly think it through – or invested an absolute minimum.
3. Missing whitepaper/roadmap
Is there a whitepaper (token, coins) or roadmap (NFTs, community project) with targets and action plans? No? Better stay away from it if you want to invest in safe and solid projects.
-> Not having a whitepaper or roadmap doesn’t automatically mean that the project is going to be abandoned, but it sure is a good indicator.
4. Suspicious code / smart contracts
Check the code and smart contracts for any suspicious attributes or commands. Of course only if you are actually able to read and understand all of this. Assuming you don’t know how to read smart contracts, see if you find content about the code by people who can actually, reliably read it. Or check if the code was audited by an external company. However make sure that it’s an audit by an actual, respected audit firm.
While this is usually not a big deal for regular art or community NFT projects with no special functionalities, it can be an important point for more complex projects.
5. Project is owned by whales
Use blockchain explorers like nansen.ai or DuneAnalytics to see if the majority of the tokens are owned by a small number of whales (big investors). If this is the case, you should pay very close attention. As those whales can dump the price very quickly if they decide to sell all their tokens at the same time. Leaving you behind with a huge loss of money most of the time.
6. No liquidity and locked value
Does the project lock a certain amount of value? How much did the creators invest themselves so far? What is happening with the profit of the project? Can’t find any numbers, or is there no value locked? Better look very closely.