NFT listing scams
Does this article need to be translated?
Contents:
Social engineering — more commonly referred to by the more widely used alternative term phishing — is, unfortunately, widespread in web3. With self-custody, even experienced, savvy users can still be manipulated into taking actions that play right into scammers' hands.
More specifically, social engineering describes a scenario where a scammer psychologically manipulates a victim. As you'll be aware, most commonly in web3 this occurs when users are convinced to hand over their Secret Recovery Phrase (seed phrase), providing the scammer with full control of their wallet and its assets.
For the scope of this article, however, we're focussing on one specific type of social engineering that revolves around getting you to unknowingly list valuable NFTs with a price of zero.
How do NFT listing scams work?
Scammers have the entirety of the internet at their disposal, including all the tools, sites, social media platforms, etc. that it entails. As a result, you may encounter a variant of this scam in the wild that doesn't match up exactly with our description below. So, as with all our scam explainers, please take this article as a blueprint, and stay vigilant for the key points in the sections below.
Here's how fraudulent NFT listings usually take place:
-
The social engineering. To start with, the scammer first has to execute the 'social' element of this step. That is to say, they need to try and engage you in a sociable way — contriving an interaction that feels natural, has some plausible pretext, and, often, benefits you somehow. This could be:
- Complimenting you on some content you posted
- Offering you 'alpha' on a new NFT project, token, or dapp
- Providing access to an allowlist for an NFT drop
- Asking a genuine, relevant question that seems well thought-out
...you get the idea. The main thing is that there has to be something in there that piques your interest.
And once they have your attention, they can present you with the means to get scammed. From what we've seen, this is typically a fraudulent dapp, cleverly set up to seem legitimate. The catch is that the backend of the dapp is designed to steal your assets.
The dapp that the scammer links to doesn't necessarily need to be related to the subject they got in touch about, nor does it have to relate to NFTs, any type of token, or otherwise. It just needs to get you to connect your wallet and interact so that it can propose a transaction for you to sign.
-
The technical underpinnings. Even if you've connected your wallet to a scam site, there is not really any damage it can do. All it can do is see your account address, which it can then use to check your balances, and propose transactions for you to sign. However, where it does start to get dangerous is when you start to be presented with things to sign.
Applying your digital signature to a transaction or message means you give it your irrevocable — you can't take it back — blessing. Usually this translates to total consent for it to do what it needs, as dictated by its smart contract.
The problem with dapps that the scammers provide you with is that they will usually have mechanisms hidden in the smart contract code that don't match the actions that the dapp displays in the UI. This is how they trick you.
-
The theft. The most common variant of this kind of scam involves this process:
- Prompting you to sign a transaction on the fraudulent dapp. This may or may not be related to NFTs, and will usually be entirely misleading about what it actually does.
- What you've actually signed is a transaction that lists your NFT(s) for 0 ETH. The mechanism can be quite convoluted: it may be that the dapp can only access these NFTs because you've already approved OpenSea's access to them. This is how you can list them with a single signature.
- The scammer, aware of the 0 ETH listing before anyone else, immediately purchases it on OpenSea.