Holders of NFTs have become prime targets for all kinds of scams. And when the actually purchased token is well backed by a real project, phishing attacks take over. This is to rid these designated victims of acquired rights to their precious digital images. A reality that has repeatedly hit the Bored Ape Yacht Club community in recent months, with losses running into the millions of dollars. But BAYC holders aren’t the only ones getting screwed. And, as the CertiK security framework points out, there are a few rules for crypto hygiene.
The findings are as worrying as they are overwhelming. Over 90% of NFT holders have already been victims of a proven scam. With sometimes colossal losses, depending on the collection in question. And in recent months, aggressive phishing campaigns targeting Bored Ape Yacht Club holders. The last one was created a few days ago, in response to a community manager’s Discord account being hacked. All for damage estimated at 142 ETH (over $255,000 at the time of the events).
Obviously there is little (if any) appeal possible. And all collections are targeted, even if the most popular are preferred. With very well constructed procedures, but mostly recognizable to those who are not in a hurry. Elements partly underlined by the CertiK security architecture in a recent publication on the subject.
NFT – Digital Hygiene vs Phishing
It’s all called digital hygiene† And it is always easier to present it than to apply it to yourself. Especially when the link found indicates that only a hundred copies should be obtained as soon as possible. And that – with the best chance – your address has been selected to participate. This is to eventually deliver his own NFTs to the hacker while also paying the bill for the network charges to send them to him. A classic phishing procedure, but which nevertheless does a lot of damage. Therefore, this development again seems necessary.
And even if this kind of attack doesn’t just affect the NFT token sector, the latter seems to have become a particularly privileged playground. Perhaps partly because their adoption is largely from the crypto realm, which is (a bit) more resilient to this kind of inconvenience. Or because their structural indivisibility (non-fungible) makes these types of operations easier and more profitable. Be that as it may, their holders should be wary of links sent to them or posted on social networks to wait for the next victim.† Because traps are everywhere…
NFT – How do you recognize a phishing site?
That is why the CertiK structure has just published a report on the attacks by the BAYC community. With a marking of the points to be taken into account to identify a copy of their official site, made to deceive the victims. But what was missing, among other things, the classic links that refer to social network accounts. Differences presented as “subtle” but which, once identified, should trigger absolutely all warnings… and the leak!
† The phishing link posted on BAYC’s Discord redirected to a copy of the project’s official website, but with subtle differences. First, there were no links to social media accounts. A tab titled “claim free land” was also added which was specifically aimed at holders of popular NFT projects.†
Like being fooled by a post on Twitter whose name seems official, but whose account in “@” is nothing reassuring. This even if it takes advantage of the precious symbol of validation that makes one wonder how Twitter spreads them. And for which your own account has been identified between an unlikely list copied / pasted in the comments. With this fairly simple rule: what comes to you is suspicious and must be checked† This by going to the official account of the project that should carry out this campaign of ‘gifts’. And based on the principle that the slightest doubt should be cleared, even if it runs the risk of missing an “opportunity” that is all unlikely. Because it has everything improbable!