Have you ever had the experience that you lost Ethereum or NFTs in your MetaMask wallet without your notice?
As NFTs are getting more and more popular these days, it seems that the number of NFT-related hacking troubles are increasing every day. In this article, we listed up some of the most common virtual currency wallet hacking methods. We help this will give you clearer understanding on how your wallet could be compromised as well as some tips on how to prevent it!
Virtual currency wallet hacks are becoming more common.
Most NFT-related problems are probably losing your assets in your wallet due to hacking. In most cases, the assets in the wallet were stolen without notice, even though the password or seed phrase was not given to anyone.
Since virtual currency wallets can be held and managed anonymously, it is unlikely that the perpetrator can be identified once the virtual currency or NFT has been stolen. Therefore, it is necessary to make an utmost effort to avoid being victimized before a tragedy happens to you.
Common hacking methods
Let’s take a look at some of the most common hacking methods in practice.
1. Leaking seed phrase, password, or private keys.
This is the most typical one we should beware. They fish you with messages like “We will give away NFTs or virtual currencies to a few people randomly chosen, so please fill out your information” and then ask you for your seed phrase and password. This is especially targetted to beginners who do not understand the importance of the seed phrase and more likely to pass it to someone untrustable.
The scammers often use messages like below:
- Please share your wallets so we can collaborate!
- Your account has been compromised! To protect it, please tell us your password!
- I want to buy your NFT directly! I need your seed phrase!
- I’m inviting you to Foundation.app and I need your seed phrase!
Please note no collaboration, no NFT purchase or no Foundation invite will ever require your seed phrase or password!
2. Fake MetaMask app.
The another common scam is fake MetaMask app.
Make sure to download it from the official website, and also be sure to check the URL when jumping to its official website.
3. Fake fake websites.
Not only the fake MetaMask, many fake marketplaces and fake websites have been created one after another. Accessing to these fake websites immediately risk you that your wallet will be compromised or spyware will be sent to you. Do not access them for your curiosity.
The following fake sites are particularly famous.
- Fake Opensea
- Fake Foundation
- False Rarible
- Fake Google Drive
- Fake Dropbox
Also, do not open any suspicious URLs you receive from strangers.
4. Fake MetaMask support tricks.
Many people have been tricked into giving their personal information to a fake MetaMask support account.
The number of accounts pretending to be official MeteMask support has been increasing and disappearing repeatedly, and to matter of tricky, some of them have more followers than official accounts, making it difficult to distinguish one from another.
When a wallet-related error occurs, you might post a message on Twitter saying “I’m having an error like this, if anyone knows anything about it please text me!”, these fake MetaMasks will promptly give you replies or direct messages. You might be tempted to tell them your seed phrase because you are worried about the error and you are relieved to see a support account that responds quickly, but please hold back.
There are also cases that they do not directly ask for phrases, but cleverly lead you to spyware URLs. Make sure you never deal with them.
5. Fake emails
In addition to fake websites and URLs, fake emails are also commonly seen. Scammers are imitating well-known services such as MetaMask, OpenSea, Foundation, etc., and sending out fakes emails to targeted newbie creators.
The typical contents of the emails are often as follows.
- Your work has been sold!
- Your account has been compromised!
The best practice to tell the difference from a real site is to check the domain of the email senders’ addresses. For example, Opensea uses “@opensea.io” domain. Foundation uses “@foundation.app” or “@withfoundation.com” domain. Any email address using any other domain should be assumed to be fake.
6. Fake SMS.
Fake SMS is just as annoying as email, or even more so, because you can’t check the domain name of the sender.
If you suddenly receive an SMS without SMS verification by yourself, it is almost likely to be a fake.
7. Fake Offers.
If you are an artist, you’re always happy when your work is appreciated, and you’re even more excited when you’re asked to create a logo, illustration, or video work for paid projects. However, in the NFT world, you should always keep yourself calm.
I recently got a direct message on twitter from a stranger. The sender said, “Your work is great! We’d love to have you design our logo for paid partnership!” and sent me a suspicious URL as a project resource package. You might be tempted to trust them if their avatars or profile pictures look convincing, but you might notice that he does not have many past tweets or many followers or long account history enough to tell you that he is legit.
If you still think he might be legit, try asking him to give his company email address and let you contact him back. Do not open any resources by him before you make sure he is 100% legit.
Unlike the cases previously discussed, this one is not very traceable. Be careful of websites where spyware is likely to be hidden, such as illegal video download websites, as well as informative sites for NFT artists.
NFT artists often get targeted by many hackers with most progressive hacking methods. At the very least, deploy anti-virus software and filters to avoid stepping on suspicious websites.
9. Connected devices compromised
Even if you pay attentionto your PC which is dedicated for NFT management, you cannot eliminate the risk of your passwords being leaked if your smartphone or sub-PC connected to the same network or social account is infected with spyware. Also, if you put seed phrases and passwords in your shared folders or online drives that are hacked through one of your devices, those private information might be already leaked.
If you want to do your best, we recommend that you completely separate your NFT PC from the rest of your devices, by completely separating networks, and that you do not share any social accounts among your devices. If this sounds too much for you, at least make sure that you don’t put your MetaMask passwords on somewhere online.
How to prevent
We have discussed a variety of scams, but no single method can prevent all of them. You should make multiple efforts to protect your wallet by combining different methods.
- Do not share your seed phrases, passwords, or private keys with others.
- Access only to official websites and apps.
- Make sure the website URL is correct.
- Make sure the domain of the email address is correct.
- Do not open URLs sent from unknown senders.
- Do not immediately trust someone offers you sketchy projetcs.
- Do not visit suspicious sites on a regular basis.
- Do not put passwords on online drives.
- Separate networks.
- Always stay calm and do not get excited much enough to lose your cool judgement.
Keep these ten commandments in your mind, and have a safe creator life!