Ana içeriğe geç

Scammers and Phishers: Rugpulls and airdrop scams

Does this article need to be translated?

Contribute to the Help Center

Submit translations, corrections, and suggestions on GitHub, or reach out on our Community forums.

The decentralized web is exploding with economic activity and has the potential for incredible growth. While this attracts a lot of well-deserved attention, there's another thing it attracts: scammers and thieves.

Rugpulls: Don't let your FOMO get the better of you

A rugpull is the term that has been popularized to describe the Web3 / DeFi equivalent of what we would call, in traditional financial systems, a Ponzi scheme; a related concept is that of "pumping and dumping". Let's dig into this a bit.

There isn't just one token or cryptocurrency per blockchain. In fact, the Ethereum blockchain has on it an incredible number of cryptocurrencies, and creating a new one is a fairly straightforward procedure. Not only are they easy to create, but you can name them whatever you want, which can make identifying legitimate tokens particularly difficult.

Those who speculate in cryptocurrencies will often engage in 'pumping and dumping', i.e. buying lots of a particular token in order to drive the price up, then selling them for a profit. This simple mechanism is taken to a whole other level when an individual or group of individuals creates a token simply for the purpose of extracting value.

How it works

  • A token is created
  • The token is promoted, through airdrops, spamming through social media channels
  • The price of the token is inflated, often in a coordinated manner between a number of parties
  • Unwary investors 'dogpile' onto the token, buying due to the perception that the value is skyrocketing and they want to get in when the token is still relatively cheap
  • When the value of the token reaches the target that the creators were aiming for, or whenever they decide to, the scammers liquidate their shares or swap for another cryptocurrency, perhaps dropping the value of the token to below what it had been when the unwary investors had bought
  • The unwary investor has lost value, and is left with tokens worth next to nothing.

How to avoid it

Do your research. How long has the token been around? Take a look at a block explorer, and see if you can figure out what the distribution of the token is like. Are there a handful of accounts holding a majority of the tokens? Is it being hawked aggressively on chat platforms? Does the token have any true utility — or example, is it used in a video game? Or is it just a meme-inspired token?

Just because there's a graph with an incredible spike, doesn't mean that spike will continue.

At the end of the day, this is the decentralized web, and you're the custodian of your tokens. Only you can decide which projects are worth your participation.

Free money doesn't (always) fall from the sky: Airdrop scams

An airdrop consists of a token creator sending some quantity of tokens to Ethereum addresses — maybe at random, maybe from a list of users of a particular dapp or sidechain, for example. There was a time when it was a fairly common practice to use an airdrop as part of a launch campaign for a new token.

Airdrops have a rich and storied history on Web3, and are a great tool for creators of a new project to get their token into the hands of users, and a great opportunity for Web3 participants to benefit from being present in the ecosystem.

How the scam works

Unfortunately, airdrop scams are an attack vector that are actively being developed, and novel exploits of smart contract code could cause new types of scams to appear. That said, here is a common pattern:

  • A wallet holder, examining their wallet on a blockchain explorer, notices they've got some new tokens—maybe even millions of a new token—that they didn't pay for. Congrats, wallet holder, you're the recipient of an airdrop!

  • "Well," says the wallet holder to themselves, "I didn't pay anything for these and I don't particularly care about them. I wonder if I can get anything for them. I'll go to a token swap site."

  • The wallet holder attempts a swap of the tokens—maybe for some ETH—and nothing seems to happen. Confused, the wallet holder goes to the block explorer, and sees a message like this one, which somewhat cryptically tells the would-be token millionaire that in order to claim their tokens, they need to go to a third-party site.

  • Once on the third-party site, a few things might happen.

    • The user might be tricked (phished) into putting their Secret Recovery Phrase into the website, at which point the scammers have control over their entire wallet.
    • The attack can be more subtle, however. Paraphrasing one user's story: "You go to claim your tokens, and MetaMask pops up with a confirmation message. You confirm the MetaMask transaction, but what you don't realize is that you're giving the page permission to take your tokens, rather than give you tokens." (N.b. this is a token approval scam. Read more here.)

How to avoid it

MetaMask is aware of these scams, and is actively working on improvements to help prevent them, but in the decentralized web, the most important member of the security team is you. If you're not sure about a product, look around a bit. Ask on (respectable) forums. Don't give into the fear that if you don't sell the tokens now, they won't be worth anything — after all, the fractions of an ETH that you may earn from selling them aren't worth your wallet getting liquidated.

Never, ever, ever give your Secret Recovery Phrase to a website or to someone online.

Ever.

warning

NFT airdrop scams

If you notice suspicious items in the 'NFTs' tab that you did not purchase, looking more like an ad than digital art, and informing you that you can claim your airdrop by clicking on the link to their website, do not do what they say. This is an emerging scam method, and the website is most likely phishing for your Secret Recovery Phrase. It's best not to interact with the NFT at all, hide it, or add it to the'suspicious' NFTs list in your Portfolio.

While you should make a habit out of checking the contents of your wallet address on a block explorer, take a deep breath before acting on anything you learn there. Remember: tokens can be faked. Check the issuing smart contract address against the address of the legitimate token. Do your due diligence; you are the custodian of your tokens.