TLDR
In the new asset protocol trend and the rapid development of the NFT ecosystem, with various new gameplay emerging, how Web3 users can effectively protect their crypto assets has become a new challenge. In a Twitter Space NFT Asset Explorers co-hosted by NFTScan and Mint Blockchain, experts from various fields such as imToken, Onekey, SlowMist Team, and NFTScan were invited to discuss how to effectively protect their crypto assets in this trend, and share a series of practical experiences and suggestions.
Host: Yuri | NFTScan
Guests:
Liz | SlowMist Team
Mako | Market Researcher Lead of imToken
Niq | Chief Content of OneKey
Shier | Co-founder of NFTScan Labs
X Space Record:
Q1: According to NFTScan’s data, there are approximately 6 million new NFT assets added to the chain every day, with 4000–6000 NFT asset contracts. With the large-scale growth of NFT assets, there have been phishing incidents induced through NFT metadata, especially on EVM networks and L2 such as BNBChain, Polygon, Base, etc., which may lead to asset losses. Do you have any strategies to deal with these issues for dApp developers and Web3 users?
🗣️ Niq | OneKey:
On-chain NFT scams primarily fall into two categories:
Direct Wallet Spam: Scammers send worthless NFTs to users’ wallets, aiming to display these NFTs and entice users to click on them when browsing marketplaces like OpenSea. This can lead users to phishing websites where they’re tricked into signing transactions that grant permissions for token transfers.
“Sleep Minting” Contract Manipulation: Scammers modify contracts to show fake NFT mints in users’ wallets, targeting those who follow large accounts’ operations. The modified contract makes it appear an NFT has been minted, but it’s initiated by the phisher to lure users to a phishing website for minting or other interactions.
While platforms like OpenSea can filter out many of these scams, they may still appear in wallets. These phishing attempts share patterns in transaction metadata, making them identifiable for developers and real-time filtering through industry APIs.
For regular users, security awareness is crucial. Be cautious of attempts luring you to websites for airdrops or tokens, as these often trick users into signing over permissions. Vigilance is also advised with copy-trading, as fake transfers or mints may be involved.
Ultimately, users should stay vigilant, recognizing that not all minting actions are genuine, and many phishing NFTs are generated through fake minting processes.
🗣️ Mako | imToken:
Niq has provided excellent insights into these NFT minting scam issues. The enticement of users to third-party websites for minting scams is indeed a widespread problem, despite extensive education and security measures by major wallets and security institutions. Many users may not fully appreciate the security risks if they haven’t personally encountered them.
I fully agree with Niq’s view that community collaboration is needed. At imToken, even though we collaborate with third-party APIs and have developed our own filtering rules, we still frequently receive user feedback indicating that even with widely known security measures, users can still fall victim to scams. Therefore, I believe it is necessary to share data on scams through community co-building efforts.
Furthermore, our market research has identified companies like Simple Hash that provide NFT rating services using a whitelist-like approach to filter risks. While this method may not fully align with the spirit of blockchain, I believe that with the development of AI technology, we may now have the ability to use AI to assist in filtering scams. If AI can identify key information in images and provide users with safer tips, we may see an effective combination of blockchain and AI technology in preventing scams.
Ultimately, community collaboration, data sharing, and leveraging emerging technologies like AI could prove invaluable in combating these persistent NFT minting scams and improving security for users.
🗣️ Shier | NFTScan Labs:
At NFTScan, we approach the issue of NFT scams and spam assets from a data service perspective. Our strategies include:
1/ Filtering at the data source:
We have an API interface for Business developers to actively submit information on spam or risky assets identified by themselves or their users.
After submission, we conduct security checks and annotation filtering to prevent these flagged assets from being passed downstream.
We regularly analyze on-chain asset issuance and transaction patterns, using algorithms for secondary filtering based on identified patterns.
2/ Leveraging community feedback:
NFTScan Explorer has a feedback entry for users to actively submit risky or spam assets they encounter.
With 180K–200K monthly active users and growing, we aim to collect industry-wide information through this feedback mechanism.
3/ Downstream asset quality:
By combining our own filtering and community feedback, we strive to output higher-quality assets downstream while eliminating potential security risks as much as possible.
4/ User education:
We remind all users about the programmability of NFT assets and the potential for Metadata information to change or be centrally controlled.
When viewing NFT information, users should exercise caution if links or documents seem suspicious.
Ads promising large rewards or promotions should be automatically blocked, as they are likely phishing attempts.
🗣️ Liz | SlowMist:
We understand that NFT metadata refers to the specific information included, such as name, description, images, animations, and more, which can vary based on the NFT’s nature or creative attributes. However, the flexibility of metadata also brings multiple risks:
1/ Misleading or tampered information: If metadata is arbitrarily set by the creator, buyers may suffer losses due to inaccurate or manipulated details.
2/ Data loss: If metadata is stored on off-chain servers that shut down or are attacked, the related information may be lost, impacting the NFT’s value.
3/ Privacy leakage: Image or animation URIs can potentially collect basic user information, leading to privacy infringement issues.
To address these risks, we recommend the following countermeasures:
1/ Purchase from trusted sources: When buying NFTs, prioritize well-known, mainstream, and reputable platforms as a basic guideline.
2/ Enhance account security: Enable security measures like two-factor authentication and email/phone verification to strengthen account protection.
3/ Regular security checks and updates: Develop a habit of regularly conducting security checks and system updates to ensure long-term safety.
4/ Avoid unknown links: Refrain from clicking on links from unknown sources, especially those requesting sensitive information.
While implementing security measures is crucial, it is not sufficient alone. A combination of purchasing from trusted sources, enhancing account security, regular security maintenance, and exercising caution with unknown links is essential to address the risks associated with NFT metadata.
Q2: In the last year, the industry has seen many new asset protocols, including Inscriptions, BRC20, ERC404, Memecoin, Restaking, Airdrops, etc. For ordinary Web3 users participating in the process, do you have any suggestions to offer? How to prevent such a security issue?
🗣️ Niq | OneKey:
I want to highlight some security concerns related to Restaking, especially involving the theft of large assets. According to a report from Scam Sniffer, there were several theft cases involving Pledged tokens last month. Specifically, around mid-March this year, four theft transactions averaging two million USD were recorded, with these losses related to stolen permit signatures.
In some cases, users may not immediately notice any anomalies after their signatures have been compromised. It’s only when they attempt to withdraw tokens that they realize they’ve fallen victim to a hacker’s trap, and their principal has been transferred.
These theft cases share a commonality: they involved using large capital addresses to interact with unfamiliar contracts or networks, actions that often ignored potential risks. Additionally, various seemingly attractive Coin or airdrop temptations can sometimes increase risks, especially when utilizing large capital addresses.
Therefore, the most crucial step is to reduce risk exposure. This includes pre- and post-transaction measures, such as transferring large assets to clean datasets or hardware cold wallets before conducting high-risk transactions. Post-transaction measures are equally important, as checking and revoking unauthorized activities is crucial.
After using an address, if it’s not intended for further use, it can be abandoned, aligning with Bitcoin’s native usage. If the address is still needed, “cleaning up” is vital, ensuring that all authorized signatures and potential risks have been appropriately addressed.
Mako | imToken:
I think the recent hot topics are very interesting, especially about not taking over each other. Recently, it seems that those playing with Solana or similar projects are avoiding taking over. When I engage in these projects, I usually choose to use a new wallet, especially for some small projects, I usually do not consider using a hardware wallet.
However, for situations involving large assets, I still prefer using a hardware wallet to participate in operations like staking. For meme coin releases like those from the Inscriptions, I tend to use another wallet to operate. Furthermore, the sources of information are usually through social media such as Twitter, and often you can see various links under the tweets. We have recently been promoting our Chinese account, and very soon we will see people imitating our account name, a situation that is very easy to fall for.
From my experience, one way to determine if a tweet handle is trustworthy is to see if someone I know or trust is following that handle. Niq previously mentioned revoking authorization issues, and from my personal experience, revoking authorizations on Ethereum can sometimes be expensive. Instead, it may be more economical to transfer funds to a new wallet rather than revoking authorizations.
Lastly, when participating in Memecoins or similar projects, I believe it is very important to gauge and take profits when the market is up.
Shier | NFTScan Labs:
You make excellent points regarding security practices for participating in small projects or large projects with expected airdrops. Utilizing a dedicated wallet specifically for these purposes is a very direct and secure approach, especially when that wallet does not need to hold significant funds.
The preventative measure you mentioned, where Mint publishes an image clearly stating the end of a Twitter campaign series, is a smart way to inform users that any similar content afterwards may be fake, helping prevent potential phishing scams.
To summarize the key points from the previous experts:
Phishing website prevention: Be extremely vigilant and obtain project information only from official social media or websites. Confirm the information before entering the official website to reduce phishing risks.
Wallet connection authorizations: Carefully review and understand the purpose of any signing operations to prevent potential asset losses due to unclear authorizations.
Asset security: When participating in new protocols, safeguard assets by isolating them and minimizing operations on main assets to reduce risks.
Private key management: Learn and understand proper private key management. Using a trusted hardware wallet like OneKey or ImToken is a good choice. Ensure the connected network and wallet are trusted for optimal security.
These preventative measures, such as using dedicated wallets, verifying official sources, reviewing authorizations, isolating assets, and proper private key management, are crucial for maintaining security, especially when engaging with new or smaller projects in the cryptocurrency space.
Q3: In the dark forest of blockchain, how can one effectively protect the security of crypto assets? Could you share some lessons and experiences gained from real cases?
🗣️ Shier | NFTScan Labs:
Recently, we encountered a situation where someone impersonated an investment institution and PM us on Twitter, expressing interest in investment matters. Typically, invitations for investments like these are not easily rejected, so we scheduled a meeting. The person provided us with a Zoom meeting link.
However, when we tried to join the meeting at the scheduled time, we found that this link required us to authorize via our official Twitter account, which initially seemed somewhat unusual as we had never had such a request. However, we considered that the other party may need to confirm our identity, so we decided to use our official Twitter account for authorization.
Unfortunately, this Zoom link was a phishing link. The attackers obtained editing permissions for the organization’s official Twitter account through this method, and in the early hours of 3 to 4 am, they began launching attacks, posting phishing links. Fortunately, the community immediately provided feedback on the issue, and the organization quickly revoked all Twitter authorization permissions, thus gaining control of the situation. This event shows that the attackers did not use highly sophisticated technical means but rather carried out an attack successfully through a relatively simple form of human deception.
The second case that occurred during the previous DeFi liquidity mining frenzy involved a close friend who needed various on-chain scripts for mining. Unfortunately, in preparing to open-source a script, the friend accidentally disclosed their private key, resulting in the loss of several hundred thousand US dollars, including some Ethereum and other tokens.
These two cases highlight the importance of maintaining a high level of vigilance and security awareness, even when dealing with seemingly straightforward operations. Many security incidents are preventable, often due to a lack of sufficient precautions.
🗣️ Niq | OneKey:
The concept of the “dark forest” in the digital landscape is an apt analogy, and the recent release of the Dark Forest Handbook 1.2 version by SlowMist provides valuable insights. The two major security rules they proposed — zero trust and continuous verification — are indeed profound and crucial in the current environment.
One example that highlights the importance of these principles is the case of a persona constructed for airdrops. This persona carefully built trust by posting tutorials and gaining the trust of many individuals. However, the persona later posted a tutorial containing private content, a link to a fake website, and even scripts with viruses that stole private keys, resulting in significant losses for many people. This incident demonstrates how social influence and interpersonal trust can be exploited through social engineering attacks, even when dealing with seemingly benign information.
The need for zero trust and continuous verification extends beyond just transactions, tokens, or projects. Human social interactions are also a critical factor, as seen in the example of “interview attacks,” which are another form of social engineering. Even if the source is a trusted friend, their account could be compromised, putting one’s own assets at risk.
Implementing these security practices is essential, regardless of the context or the perceived level of risk. Preventive measures are crucial, such as regularly checking and revoking permissions for wallets and being aware of the stability and potential vulnerabilities of the projects and assets being held. If any suspicious activity is detected, prompt action is necessary to mitigate the risks.
These strategies for addressing the risks in the “dark forest” of the digital landscape are essential for both individuals and organizations. Maintaining a high level of vigilance, a zero-trust mindset, and continuous verification processes can help safeguard against a wide range of security threats, both sophisticated and seemingly simple.
🗣️ Mako | imToken:
It’s encouraging to see that user education around wallet security has made significant progress, with fewer users neglecting backup practices. However, the occasional examples serve as important reminders that security precautions are necessary even among trusted individuals, such as family members.
One persistent issue is users downloading fake wallet applications through search engines. For instance, someone recently lost around $150,000 after downloading a fake “imToken” app from a seemingly official but deceptive website. This is a common tactic used by scammers to exploit user trust.
Another concerning behavior is users sharing their mnemonic words on social platforms like RedBook, often driven by a desire for small gains. In one case, the researcher imported such mnemonic words into an empty wallet, only to find $100 inside, which was then immediately transferred out by an automated script — a typical phishing scheme.
Furthermore, the issue of custom IPCs has been a topic of discussion between imToken and SlowMist. Scammers often exploit users’ desire to claim airdrops by asking them to configure specific IPCs, which can then be used to steal their assets through the custom settings.
These examples highlight a crucial point: users should not be greedy for small gains and should not assume they know better than security experts. Even with extensive education and awareness campaigns, some individuals may only truly learn the importance of security when they experience a personal incident.
The lessons from these cases emphasize the need for users to maintain a cautious and vigilant mindset, even when dealing with seemingly innocuous activities. Continuous education, a deep understanding of security best practices, and a willingness to seek expert guidance are essential in navigating the ever-evolving landscape of digital asset management.
🗣️ Liz | SlowMist:
Phishing attacks continue to pose a significant threat, as evident from the increasing number of theft incidents reported to us on a daily basis. One of the most prevalent forms of phishing currently is Blind Sign Phishing.
In Blind Sign Phishing, attackers leverage the “inside signing” method, which is an open signing mechanism that allows signing for any hash. This means it can be used to sign transactions or any other data. For users without a strong technical background, understanding the implications of these signing requests can be quite challenging, leaving them vulnerable to phishing risks.
Fortunately, many wallets are now implementing security alerts to warn users about potentially malicious signing requests. This measure can help prevent some asset losses. However, users must remain vigilant and authenticate the official project website before interacting with it. Extreme caution should be exercised when presented with any signing requests, as revealing mnemonic words or private keys is a surefire way for attackers to gain control of user assets.
When participating in new projects, users should consider several factors to assess the risk:
Is the project anonymous, or is the team well-known and reputable?
Does the project have a strong track record and community support?
Have there been any previous security incidents associated with the project?
Maintaining a high level of scepticism and verifying the legitimacy of any project or signing request is crucial in the current landscape, where phishing attacks continue to evolve and target unsuspecting users.
NFTScan is the world’s largest NFT data infrastructure, including a professional NFT explorer and NFT developer platform, supporting the complete amount of NFT data for 24 blockchains including Ethereum, Solana, BNBChain, Arbitrum, Optimism, and other major networks, providing NFT API for developers on various blockchains.
Official Links:
NFTScan: https://nftscan.com
Developer: https://developer.nftscan.com
Twitter: https://twitter.com/nftscan_com
Discord: https://discord.gg/nftscan
Join the NFTScan Connect Program
Top comments (0)