The NFT space is still new and at its infancy stage, so many hackers and fraudsters have exploited its vulnerabilities and scammed newcomers out of their wallets. The NFT sphere has had its fair share of scams since they’ve become expensive assets. The most common type of attack is wallet-draining. Hackers can simply reach out their hands and grab whatever prized possession NFTs u have out of your pockets if you don’t take the necessary precautions to secure them. Luckily, you’ve come to the right place. Here’s an extensive guide on how to secure your wallet from getting drained!
What Does Wallet Draining Mean?
Wallet draining is simply the act of draining your wallet out of its crypto, NFTs, and all digital assets you own. The act of draining a wallet is done by transferring your assets from your wallet to the scammer’s wallet. How is it possible? Well, a scammer can’t simply hack into your heavily secured private key and steal all your valuable NFTs, instead, you give the scammer your consent to do so.
Wait. Why would you give someone consent to steal your crypto wallet? Well, you might do it without being aware. This could happen when scammers send you malicious links or impersonate a legitimate website, making you sign something that might expose your wallet. Let’s just say that phishing scams are the most common type of scam in the NFT space.
Phishing Scams
The word phishing signifies a common scamming technique used for retrieving users’ data. The technique includes scammers sending out emails, texts, notifications, or even using a whole website in order to trick users into believing that the source is legitimate or official.
For example, a text from your bank can say that you need to log in to your credit card’s account in order to check ‘an unusual activity’, or that you have spent an amount of money that you don’t recall. By clicking on the link in the message, you would give the scammer all your login information and would give them access to your credit card’s funds.
In the crypto world, phishing scams are very common since it is the easiest way to steal digital assets from a crypto wallet. In this case, scammers can impersonate Metamask and send you alert messages with links that prompt you to click on them. Therefore, you would’ve easily handed scammers all your wallet information. Thus, they can easily drain out your wallet.
With NFTs, it’s even easier to scam people since there are many types of fake links that could be sent out. For example, scammers can send out links to fake NFT minting pages, fake allowlists, or fake airdrops. This is why it’s important to keep an eye out for phishing attacks since their goal is to convince you that a fake link is the real deal.
How Does it Work?
So before we dwell on how to secure your wallet from these scams, let’s see how do scammers technically drain your wallet. Let’s get into the process of wallet-draining through phishing.
The first obvious technique is simply having a fake website or link prompt you to give it your wallet’s private keys. In this case, the scammer could easily get to your wallet and steal your assets. The second technique requires the scammer to put on the extra effort that includes a bait-and-switch contract.
Let’s understand something about smart contracts: They could have an underlying code that, when signed by you, can transfer all your assets to another wallet. This is why it’s crucial to know how to read a smart contract before signing it, the same way you would get a lawyer to read you a real-life contract.
The Contract Scheme
NFTs are typically transferred from wallet to wallet by their owners. However, there are other ways in which someone else can transfer NFTs from your wallet to others. setApproveForAll is a function used in smart contracts that allow other parties to transfer your digital assets to other wallets.
This function is often used to provide marketplaces such as Opensea with the creator’s consent to transfer NFTs to buyers. When a user buys an NFT on Opensea, the platform will transfer the NFT from the creator’s wallet to the buyer’s, and then transfer the money from the buyer’s wallet to the creator’s. This is a normal function for a well-trusted platform such as Opensea. However, it could be very dangerous when it comes to dodgy sites.
Let’s see how this process can be carried out in an NFT phishing scam.
#1. Scammer Creates a Contract
First, the scammer would set out a contract with the code function setApproveForAll which will give him the approval to transfer the digital assets from a wallet.
#2. Scammer Phishes Victim
The phishing scam can take several forms, such as emails, DMs on Discord, fake websites, free mints and allowlists, and so on. However, you’ll always be asked to either provide the scammer with your private keys or to sign a contract. So, it’s always you giving consent. In this case, you sign a bait-and-switch contract.
#3. Attacker Steals Assets
After transferring all digital assets in your wallet to another one, the scammer would have to launder the assets as fiat. Since NFTs cannot be cashed out like cryptocurrency can (because NFTs are non-fungible), the scammer needs to sell the stolen NFTs on a marketplace.
Types of Wallet-Draining Scams
Let’s see what types of wallet-draining and phishing scams there are in order to guide you on how to secure your wallet and avoid being robbed.
Fake Website/Impersonalization
The most common type of phishing scam can be seen in fake websites or accounts posing as legitimate sources. It’s very easy to overlook these fake websites since they tend to look identical to the official website, with a slight change in the URL. It could be as unnoticeable as a change in one letter. The website can prompt you to log in and provide them with your wallet’s information.
Fake links can also be given out by accounts impersonalizing people in the community, such as the creator of an NFT collection. This is why it’s always best to double-check the legitimacy of these accounts by looking for suspicious activity.
Fake Giveaways/Airdrops/Mints
Giveaways, airdrops, and NFT mints play a huge part in the NFT ecosystem, and it’s typical for scammers to target victims through them. Especially for people who are new to the NFT scene, scammers can take advantage of them.
For instance, fake giveaways are a popular phishing scam on Discord. Scammers would typically impersonate an NFT account. These fake giveaways usually require users to provide their private keys or send crypto in order to enter. The same thing goes for airdrops. If someone comes out of the blue and offers you free stuff, it’s probably a scam.
Free mints can be a great example to illustrate how the setApproveForAll is used in contracts. Scammers can go all the way to actually create an NFT collection and let you mint it. When minting a fake NFT with the setApproveForAll function, you’re basically giving the scammer the consent to drain out your wallet.
Customer Support Scams
Another way scammers get access to your wallet is by impersonating customer support for a marketplace. In this case, the scammer would contact you through social media, pretending to be customer support, and tells you that your account has been compromised. Therefore, you’ll need to send your funds to another website or account. Make sure to always check or respond to customer support from the official marketplace in order to secure your wallet.
How to Secure Your Wallet
So, after having a better understanding of how wallet-draining and phishing scams work, you might have formed a good idea of how to secure your wallet against such attacks. However, here’s a list of steps you can take to better protect your assets.
Check Smart Contract
Before buying any NFT, do your research. Check the legitimacy of the marketplace you purchase from. Also, check the NFT’s transaction history or if there is any complaint regarding it. And, check the smart contract, and look for any setApproveForAll function. Never sign a smart contract you don’t completely trust.
Check the Legitimacy of Websites
Double-check that the website you are visiting is the real and official website of the NFT collection you’re looking for. Avoid clicking on any links that seem dodgy and that came out of nowhere. Also, avoid misspelling sites’ URLs. This silly mistake can take you to fake sites that eerily resemble official websites. You can also check blue ticks verification on the NFT marketplace to identify which collection is real and which is fake.
Avoid Too-Good-to-Be-True Offers
If someone approaches you on Discord with a free mint, spot on an allowlist, or promise you a free airdrop, it’s most definitely a scam. Life isn’t as easy as clicking on a button and instant cash spawns in your wallet. The best thing to do is to turn off Discord DMs to avoid clicking on scammy links by mistake.
Use Burner Wallets
Burner wallets are no-permanent wallets you can use where you store little crypto to conduct transactions. Using a burner wallet means that all your valuable digital assets are stored in a different wallet. Thus, if scammed, you’ll have to deal with minimal losses.