Last month, Jeff Nicholas visited OpenSea’s Discord channel, the popular NFT marketplace, to seek help with a royalty issue. Within minutes, someone named “Pascal | OpenSea ”replied and invited him to a separate discord called“ OpenSea Support Server ”. There he was called by “Nate | OpenSea ”, received a queue number and finally began to talk to the two agents about a solution process. Pascal is the name of the OpenSea customer support manager, and Nate could be Nate Chastain, the product manager at the time.
But there was no such thing as Nate or Pascal, and Nicholas wasn’t on a customer support channel. He was attacked by a group of scammers posing as OpenSea employees and they got to work immediately. They held Nicholas in customer service purgatory and pinged him intermittently to tell him it was his turn. It was typical of online customer service standards – even good for how personal they are. Customized messages, an exclusive Discord invite, and multiple team members, all working as fast as possible.
If anything felt weird in the conversations, it was that “Nate” kept calling him “my guy”. But between family responsibilities and the exhaustion of customer service, Nicholas overlooked the faux pas. After hours of back and forth, they casually suggested that he share his screen with them. For Nicholas, this was just the next step in the troubleshooting process; for the deceivers their eyes began to light up.
As the value of NFTs increases, so too does the risk of fraud
Over the next hour, the scammers wiped NFT monkeys, cats, and dogs from Nicholas’ wallet. Because he shared his screen, they could snap a picture of the QR code synchronized with his private key or “seed phrase”, giving them full access to his assets quietly. To stop Nicholas, the scammers quietly assured him that the royalty payments were coming in while they frantically removed his NFTs. By the time his suspicions finally got out of hand, it was far too late. The damage totaled about 150 ETH, or about $ 480,000. Shortly after he was betrayed, he tweeted a single word: “Fuck”.
As the overall value of NFTs has risen and certain projects are considered “blue chip” due to high or relatively stable ratings, the threat of fraudsters also increases. In the NFT space, the word “fraud” covers many bases. It can refer to a project whose team is cashing in millions by making false promises to buyers, also known as a “rug pull”; fake Twitter giveaways from NFTs who farm retweets and followers to create the illusion of clout; and malicious links or convincing scammers that result in the user unknowingly giving up their private key.
It seems almost paradoxical that a room whose users generally have mastered traditional cybersecurity can so easily become victims. But in the NFT space, where there is a culture of community, humor, and quick click on good deals, it’s the socially minded scams that are most compelling. Scammers, whose tricks all depend on gaining the trust of a victim, use the same instincts that make the NFT space a close-knit community of friends rather than a bunch of individual traders. In this climate, Nicholas calls these scams a kind of “social engineering”: conditioning someone to think they are dealing with a friend or a trusted community member so that they are not on guard.
“It takes concentration to say, ‘I am my own bank and I am the custodian of my own money.'”
The scam on Nicholas is arguably the most nefarious. If a fraudster has control over a user’s keys, they can transfer each crypto asset to a separate wallet. By design, all transactions are irreversible. When a user immediately realizes that their wallet has been compromised, it’s a hectic race to turn the most valuable assets into an uncompromising one. In the case of Nicholas, even though he had added an extra layer of protection to his account – a hardware device that required him to sign transactions – he had been tampered with believing he was authorizing royalty payments, and his NFTs quickly disappeared.
Since a blockchain like Ethereum is decentralized and allows anonymity, it is difficult to track down scammers who use anonymous wallets, and victims have few recourse options. “You have to focus to say, ‘I am my own bank and I am the custodian of my own money,'” said Nicholas. “I can’t just go through it like I go to the bank and get distracted with my cell phone. You have to be 100 percent in the moment. Otherwise it is very easy to overlook some signs. “
On the other hand, the blockchain is transparent: every transaction can be tracked, regardless of whether the destination is anonymous or not. In the recent case where community cybersleuths discovered that an OpenSea employee was trading NFTs based on inside information, the troubling transactions were linked to the employee’s publicly known account; in the case of Nicholas, the scammers’ purses and stolen assets remained fully visible but could not reveal anything about the new owner’s identity.
The NFT community has started developing a scam response playbook
This meant that OpenSea could still identify the scammer’s wallet address while the scammers evaded identification. Upon notification, they were required to “lock” the stolen NFTs to prevent trading or resale. But by the time they locked up Nicholas’ assets, the scammers had preventively sold them to the highest bidders, who were not known to be participating in the stolen property exchange.
This put Nicholas in a double bond. Despite the crushing blow of losing six-figure assets, including the Bored Ape he used as his Twitter identity, he says he had to “whack buyers” after they had spent hundreds of thousands of dollars on NFTs that suddenly became unsaleable.
The NFT community has started developing a playbook to deal with the aftermath of scams that raise funds to buy back stolen and flipped goods. This usually includes community fundraising, where generous users donate excess Ethereum or sought-after NFTs, while artists often get involved with self-made NFTs. Victims often receive interest-free cryptocurrency loans that they can use to invest or start their own artistic projects to get back on their feet. Rescue bots with names like “Cool Cats Rescue” and “dogemaster42069” patrol the market, making automatic lowball offers to scammers with insufficient cash so that the NFTs can be returned to their original owners at fairer prices – and sometimes even for free.
“My stolen items ended up in the wallets of innocent buyers and are now locked.”
Nicholas linked up with Sohrob Farudi, an NFT collector who had lost an estimated 250 ETH, or $ 800,000, after scammers deceived him by posing as the founders of the Bored Ape Yacht Club. Together they set up a community fund to buy back the stolen NFTs that had been frozen. By sourcing NFTs from the community, they were able to resell the donations for about 10 percent of the value of the stolen assets, or a still impressive sum of 32 ETH. The rest comes out of your own pocket.
“I felt terrible that something that happened to me affected all of these other people. It is not fair that my stolen items ended up in the wallets of innocent buyers and are now locked, ”said Farudi.
Although the Fund reunited Nicholas and Farudi with some of their precious assets, the process wasn’t all easy. Shortly after the scammers sold the Bored Ape Yacht Club’s NFTs, perceived market value skyrocketed following an auction announcement from Sotheby’s and an expansion of the Bored Ape ecosystem called Mutants. While most buyers returned the NFTs at cost, some monkey buyers were unwilling to return their inflated NFTs for what they paid for. After intensive negotiations, Nicholas and Farudi were able to reach an agreement with the vast majority of buyers. A monkey stays. “We may just have to let it go,” said Nicholas.
OpenSea has since added an SOS button
Despite the stereotype of a cryptocurrency space exposed to highly sophisticated hacks, such as when an anonymous hacker stole over $ 600 million in cryptocurrency (and later returned it all), the scams used at Nicholas and Farudi have been proven to be low-tech. There was no toxic code; it was fake Discord channels and fake names.
In response to the two high profile scams, OpenSea apologized to Nicholas and Farudi. The platform also added an SOS button that allows users to lock their own account if they believe it has been compromised. MetaMask, the wallet service used by Nicholas, has temporarily disabled the QR code that allows access to a user’s keys because fraudsters have exploited the feature multiple times via the victims’ screen sharing feature. Although Discord has some security features to help prevent identity theft, such as: For example, if you have unique four-digit number tags over an ambiguous username system, some users feel that the latter is still open to abuse.
For Nicholas and Farudi, their lives were turned upside down in a matter of hours. Nicholas compared the feeling to PTSD, and Farudi says the psychological trauma made him paranoid every time he clicks on his MetaMask. If anything could have brought her back into the room, it was the social connections that attracted her in the first place. “It’s a community centered story. This bad thing happened and the community gathered, ”Nicholas told The Verge. “There are so many people who got in touch and said, ‘Look, the same thing happened to me. And I was ashamed and didn’t say anything. And I didn’t do anything about it because I know better. ‘”
“If it was to close a weak point, and now others will not suffer the same fate,” added Farudi, “I feel good that we went out and did what we did.”