An onslaught of phishing scams has the cryptocurrency community rattled and questioning the very fundamentals it was built on.
Non-fungible token (NFT) creators and collectors are losing out on hundreds and thousands of dollars to quick-thumbed thieves who are exploiting decentralized finance’s rise in popularity and fragmented customer support infrastructure.
Although phishing scams within the digital finance (DeFi) realm are not new, what’s accelerating recent fraudulent activity is crypto’s new audience. This year, as NFTs have become more valuable (and trendy), many people have promptly hopped on the bandwagon, without any real de-fi education, in hopes of a lucrative payday. But it’s not just newbies getting taken advantage of; it’s crypto veterans, too, leading many to wonder whether one of crypto’s key values, — anonymity — deserves a second glance.
“Cryptocurrency is really just digital cash,” said Cesare Fracassi, professor of finance at the University of Texas at Austin. “When somebody takes your cash, and you don’t know who they are, there is really no recourse for that action.”
A barrier to entry
Here’s a quick breakdown for the unfamiliar: As mentioned, NFT stands for “non-fungible token” — “non-fungible” means it cannot be exchanged for something of similar value. NFTs are bought and sold using cryptocurrency (mostly Ethereum) on popular marketplaces like OpenSea, Rarible, and Foundation. Every cryptocurrency transaction is recorded on the blockchain, a digital ledger anyone can access for transparency purposes. Cryptocurrency is kept in digital wallets, like MetaMask, and holds your “private key” — essentially a password that allows you to spend the money you have.
Cryptocurrency is deregulated and decentralized, meaning there is no intermediary (like a bank) in charge of a person’s assets, nor is there a regulating authority (like the federal Securities and Exchange Commission) making rules for how users and companies interact using the blockchain. And even though many NFT marketplaces offer ways for customers to receive support when they encounter a problem, most of the customer support NFT collectors and creators receive happens on digital messaging platform Discord’s servers.
NFT $90k Scam alert:
This is very hard for me to tell everyone but I know it’s also important for people to hear.
3 weeks ago I was scammed out of $90,000 in my Blockchain wallet during a supposed NFT deal. I will share a more detailed account of what happened soon
— jacob (@jacobriglin) July 10, 2021
If the process of buying an NFT, and receiving customer support if something were to go awry, seems disjointed and multilayered, it’s because it kind of is. Some of the biggest barriers, and blind spots, for crypto newcomers are the technical, cultural, and educational aspects of the space.
“Engaging with cryptocurrency as a user is a massive mental shift for people who are accustomed to very streamlined experiences where they relinquish control to a central authority,” said Emin Gün Sirer, associate professor of computer science at Cornell University. “That does open a window for bad actors to target new adopters, but the vast majority of crypto users know the next phase of growth for our space is welcoming the masses.”
However, crypto purists (also known as “crypto evangelists”) prefer cryptocurrency to remain this way — anonymous, transparent, and solely within the user’s hands. But so do scammers.
‘The most paralyzing, traumatizing feeling ever’
For Sohrob Farudi, the scammers cornered him quickly. And then he lost nearly everything, all at once.
After making a trade on NFT Trader for a coveted Bored Ape Kennel Club dog, Farudi noticed that the sell button for the item on OpenSea (a popular NFT platform) was deactivated — meaning he couldn’t sell, list, or trade his most recent acquisition.
Curious about what he should do next, Farudi went to the Bored Ape Yacht Club Discord server’s support channel to ask for help. Within seconds, he received a handful of DMs, including one from what looked like the server’s moderator asking him to connect to a separate support server, outside of the main channel. Wanting this issue to be resolved in a timely manner, Farudi followed along, unknowingly, into a scammer’s trap.
Farudi started sharing his screen with the pseudo support staffer, whose Discord nickname and profile image matched that of the actual server’s moderators. On Discord, while a username must be unique, a displayed nickname (which shows up in chats and servers) does not — creating a playground for imitators.
I was scammed / socially manipulated / hacked on @Discord and @OpenSea and lost three @BoredApeYC, four @0n1Force, and three @worldofwomennft totally roughly 250 eth in value by getting tricked into exposing the Metamask QR Code in the Chrome Browser Extension. I’ve never felt pic.twitter.com/aiaENpwLVP
— Sohrob Farudi 🍌 (@sohrobf) August 25, 2021
“These guys are freaking pros,” Farudi said. “They keep you engaged, they keep you distracted, they’re chatting you up, they make you feel really comfortable.”
After walking him through the phony support process, the scammer asked Farudi to resync his mobile MetaMask wallet to his desktop wallet. When a QR code popped up on screen for him to scan on his phone, Farudi realized he was still sharing his screen. At that moment, he knew he had just been scammed.
“It was the most paralyzing, traumatizing feeling ever,” Farudi said. “Right when I did it, I realized it was also on their screen, and then I started refreshing my wallet, and I saw an ape gone, and another ape gone, and then I was like, ‘Oh my god.’”
Farudi lost roughly 250 ETH to the scammers — nearly $800,000 in digital goods and “priceless” art from World of Women, 0n1 Force, and Bored Ape Yacht Club.
Farudi has been involved in the crypto realm since 2018, so right after he noticed what was happening, he got on the phone with friends and reached out to OpenSea’s head of product, who locked down the stolen items. (OpenSea’s head of product Nate Chastain was recently accused of flipping NFTs expected to increase in value using insider information, according to reporting by The Verge).
What happened to Farudi has been happening to crypto newbies and veterans alike at an alarming pace, so much so that OpenSea recently implemented “an account verification system” within its Discord channels and an “SOS” button for when an account’s been compromised, while MetaMask disabled its QR code syncing feature.
Note that 97.5% of this money is going to collectors and creators.
We’ve implemented an account verification system in our Discord, we’ve also shared these stories with MetaMask – they removed the QR code syncing feature today@discord is also working on this with us
— Alex Atallah (alexatallah.eth) (@xanderatallah) August 25, 2021
We've spoken with the MetaMask team and they will be temporarily disabling the mobile QR code sync feature to defend against the phishing attacks that have become more prevalent in recent weeks.
— Nate Chastain (natec.eth) (@natechastain) August 25, 2021
Better products or better DeFi education?
People rely on banks to make them whole if they ever become victims of a scam. Makes sense, right? This idea of financial security is baked into our culture. Yet, in cryptocurrency, there is no bank. There is no centralized figure to take your overdrafted account out of the red.
“NFTs and cryptocurrencies require some level of technical education and understanding, and not everybody has that,” said Fracassi, the UT Austin professor. “There are two ways to solve this: Make sure we educate people, and the alternative is to make products that are resistant to these kinds of hacks.”
One way to do this, Fracassi said, is for more marketplaces, exchanges and wallets to introduce a “multi-signature feature.” For example, say you are interested in buying something on the Ethereum blockchain, not only your signature would be required to do so, but so would that of your partners or the other custodian of your wallet.
Donnie Dinch, founder and CEO of Bitski, an NFT marketplace, agrees. “All wallets need to do two things: They need to protect the wallet owner from bad actors, which I think a lot of them do fairly well, and then most importantly, they need to protect wallet owners from themselves,” he said. But “wallet education” is still sorely lacking for NFT collectors, new and old.
“Wallets just don’t do a really good job of protecting users from themselves, and it’s not like an oversight, it’s sort of a philosophical way that these wallets are created,” Dinch said. “The reality is self-custody comes with quite a bit of responsibility, and so if you’re not willing to put in time as a user to understand that responsibility, there can be a lot of risk.”
“People don’t understand the ramifications, because up until the crypto wallet, everything on the internet was generally reversible via a support request,” he continued.
No easy answers
The answer on how to address the onslaught of scams varies depending on who you ask. Is it a customer support issue? A lack of education? Or does the answer truly lie in regulation? Getting rid of scams outright is impossible (we know that thanks to the current financial system), but how can a burgeoning industry like cryptocurrency rein in fraud while also getting people excited about DeFi’s possibilities?
Dinch believes providing support on third-party platforms like Discord is a “calculated risk” for NFT marketplaces like OpenSea, as well as for crypto exchanges.
“When you’re a project early on, having a Discord community is super helpful to get feedback on things that you’re doing — you have this sort of ongoing dialogue with your customer base that you’ve been able to sort of aggregate,” he said. “But then there comes sort of an inflection point where your community is getting so large that the idea of managing all of the small questions and feedback on Discord can be overwhelming, and that’s the point where you just need to make sure that all support requests move through a very specific channel.”
Fracassi, however, believes in order for cryptocurrency to be more broadly accepted, there has to be a more “regulated environment.”
“At some point, we need to rein the cryptocurrency into the regular financial system,” Fracassi said. “I think the institutions that are more connected with big corporations will benefit from regulation, but it’s going to make it a lot harder for startups to create innovative products.”
Reflecting back on his experience, Farudi sees where he went wrong in his interaction with the scammers. But he also sees where things can be made right.
“Because NFTs are attracting more and more people into the ecosystem, there needs to be a level from the crypto community of acceptance, that everything doesn’t have to be so anonymous, it doesn’t have to be so decentralized,” Farudi said. “The new people coming in are at such a disadvantage and the education gap is still so wide.
“The people coming in don’t care about decentralization, they care about safety and trust.”