The crypto ecosystem has rapidly expanded in recent years, with NFTs (“non-fungible tokens”) emerging from a niche technology to a booming market for digital collectables, empowering and democratizing the creator economy. From Bored Apes to NBA Top Shot, NTFs demonstrate not only a compelling mainstream use-case for blockchain technology, but also represent a new era for creators in the digital space, sweeping across art, music, and sports.
But with the rise of NFTs — and the potentially lucrative opportunities for digital collectables — comes the risk of fraud, scams, and theft.
The best way to protect yourself from these kinds of scams is to learn to spot them — and then stay far, far away. Which is why we created this guide.
So what are some of the common threats? In this report, we’ll go over:
Exit scams, or “rug pulls”
Phishing is one of the most common scams. This occurs when attackers send malicious links on various applications and platforms, including Discord, Telegram, Whatsapp, Facebook, and Instagram. The link often brings the victim to a fake NFT minting page, which contains a smart contract that can allow the scammer to drain the victim’s wallet, if signed. This type of scam has many variations, including instances where an official Discord of an NFT project becomes compromised, allowing exploiters to use the official channel to broadcast their malicious “honey pot” link.
Discord scams arise when hackers gain admin-level access to a server (as described above), or by DM-ing members of the Discord community. In other cases, fraudsters will purchase authentic looking domain names, including ENS addresses, and run Google search paid advertising campaigns against it to drive traffic to a fake URL containing a malicious smart contract. In all cases, the goal of a phishing attack is to convince the unsuspecting victim that a fake malicious link is a real one.
How to avoid: Never click on suspicious links, attachments, or pop-ups. Always verify URL domain names, email addresses and social media handles to ensure authenticity. Be vigilant about fake ads and fraudulent email addresses purporting to be customer support. Do not share your seed phrase, credentials or private keys with anyone. Use strong passwords and enable two-factor verification.
Fraudsters have been known to create plagiarized, or fake, websites resembling popular NFT marketplaces or minting sites, purporting to be the official home of a legitimate project, hoping to confuse users into buying them. In some instances, these fake NFT pages misrepresent the relationship the fraudulent page’s creator has with the legitimate NFT page. OpenSea recently said that more than 80% of items created using their shared storefront contract were plagiarized works, fake collections, or spam.
How to avoid: Always confirm verified accounts, identities and website URLs of NFT marketplaces. Look for verification checkmarks on sellers’ social media and Discord accounts. If you’re still in doubt, reach out to the artist or seller on social media to confirm the authenticity of a potential transaction. Don’t rush into purchasing an NFT until you’ve confirmed it is genuine.
Exits scams (also known as “rug pulls”)
Rug pulls are notorious in the NFT space. Commonly referred to by the shorter “rug,” these are scams in which a project’s founder (or founders) market a venture’s purported purpose without any intention of seeing the goals to fruition. Ultimately, the fraudsters raise funds, commonly through NFT mints, and take off with the money (aka “rug pull”), without any attempt to develop the project.
Big Daddy Ape Club is a recent example. The developers raised more than 9,000 SOL before abandoning the project. The pseudonymous nature of blockchain developers, in conjunction with irreversible transactions, create strong incentives for scammers to try to get away with theft. Exit scams can also be subtle — instead of immediately abandoning the project, the developers will “move the goalpost” around the expectations of what will be done with the money raised.
There are generally three phases to these scams:
In the first phase, the developers will raise money through an NFT mint, promising to accomplish a variety of objectives without any intention to do so.
In the second phase, the developers often change timelines and core project initiatives, doing anything that would push out milestones and extend the project’s timeline further and further out.
In phase three, once initial interest in the project subsides, funds raised in phase one are moved into personal wallets, often using mixers to tumble and obfuscate stolen funds.
How to avoid: Research the background of the teams behind NFT projects on social media platforms like Linkedin and Twitter. Even anonymous artists and developers can be well known and trusted by the crypto community, but it is still important to closely review social-media follower counts and engagement. Examine a project’s road-map and consider whether it is realistic. If possible, leverage the wisdom of the crowd by seeing what veterans of the NFT community think of the project, and whether it has received any verifiable noteworthy endorsements from individuals or organizations.
A dust attack occurs when a victim mints a legitimate NFT, but then finds a random, new NFT in their wallet. If the victim interacts with this unknown NFT, including listing it for sale, they may be signing a smart contract that results in their wallets being drained. Unfortunately, this scam does not only happen to popular NFT project minters. Bad actors also send malicious NFTs to random wallets in the hope of catching new users unaware.
How to avoid:
Monitor your wallet as much as possible. If you do find an unknown NFT in your wallet, do not interact with it in any way.