The NFT scammers are here

Illustration by Alex Castro / The Verge

Last month, Jeff Nicholas popped into the Discord channel for OpenSea, the popular NFT marketplace, looking for help with a royalties issue. Within minutes, someone by the name of “Pascal | OpenSea” responded, inviting him into a separate Discord called “OpenSea Support Server.” There, he was greeted by “Nate | OpenSea,” given a queue number, and eventually started talking through a resolution process with the two agents. Pascal is the name of OpenSea’s customer support lead, and Nate might have been Nate Chastain, its head of product at the time.

But there was no Nate or Pascal, and Nicholas wasn’t in a customer support channel. He’d been targeted by a group of scammers masquerading as OpenSea employees, and they got right to work. Holding Nicholas in customer support purgatory, they would ping him intermittently, telling him his turn was approaching. By online customer service standards, it was typical — good, even, for how personal they were acting. Tailored messages, an exclusive Discord invite, and multiple team members, all working as fast as they could.

If anything felt off in the conversations, it was that “Nate” kept calling him “my guy.” But between family obligations and customer service exhaustion, Nicholas overlooked the faux pas. After hours of back-and-forth, they casually suggested he share his screen with them. To Nicholas, this was just the next step in the troubleshooting process; for the scammers, their eyes began to glow.

Over the next hour, the scammers wiped out NFT apes, cats, and dogs from Nicholas’ wallet. Because he had shared his screen, they were able to snap a picture of the QR code synced to his private key, or “seed phrase,” quietly gaining full access to his assets. To stall Nicholas, the scammers calmly assured him that the royalty payments were arriving, all while frantically transferring his NFTs away. When his suspicions finally blew over, it was already far too late. The damage totaled about 150 ETH, or roughly $480,000. Soon after he was scammed, he tweeted out a single word: “Fuck.”

As the value of NFTs have increased overall, with certain projects being considered “blue chip” due to high or relatively stable valuations, so too has the threat of scammers. In the NFT space, the word “scam” covers many bases. It can refer to a project whose team rakes in millions off false promises to buyers, also known as a “rug pull”; fake Twitter giveaways of NFTs that farm retweets and followers to give the illusion of clout; and malicious links or persuasive impostors that result in the user unknowingly giving up their private key.

It seems almost paradoxical that a space whose users are generally fluent in traditional cybersecurity can become victims so easily. But in the NFT space, where a culture of community, vibes, and clicking fast on good deals rule, it is the socially-minded scams that are the most compelling. Scammers, whose ploys all depend on gaining a victim’s trust, exploit the same instincts that make the NFT space more a tight-knit community of friends than an assemblage of individual traders. In this climate, Nicholas calls these scams a kind of “social engineering:” conditioning someone to think they are dealing with a friend or trusted community member so that they let their guard down.

The scam used on Nicholas is arguably the most nefarious. If a scammer has control of a user’s keys, they are able to transfer any crypto asset into a separate wallet. All transactions are irreversible by design. If a user immediately realizes their wallet has been compromised, it’s a frenzied race to transfer the most valuable assets into an uncompromised one. In Nicholas’ case, even though he had secured his account with an additional layer of protection — a hardware device that requires him to sign off on transactions — he had been manipulated into thinking he was authorizing royalty payments, and his NFTs quickly vanished.

Because a blockchain like Ethereum is decentralized and allows for anonymity, it is difficult to track down scammers who use anonymous wallets, and victims have few avenues for recourse. “It takes focus to be like, ‘I am my own bank, and I am the custodian of my own money,’” Nicholas said. “I can’t just go through it like when I go to the bank and I’m distracted on my phone. You have to be 100 percent in the moment. Otherwise it’s very easy to miss some signs.”

On the other hand, the blockchain is transparent: every transaction can be tracked, whether or not the destination is anonymous. In the recent case where community cybersleuths discovered that an OpenSea employee traded NFTs on insider information, the unsettling transactions connected back to the employee’s publicly known account; in Nicholas’ case, the scammers’ wallets and the stolen assets remained fully visible, but could reveal nothing about the new owner’s identity.

This meant that while the scammers themselves eluded identification, OpenSea could still identify the scammer’s wallet address. Upon being informed, they were obligated to “lock” the stolen NFTs, preventing them from being traded or resold. But by the time they locked Nicholas’ assets, the scammers had preemptively sold them off to the highest bidders, none of whom knew they were participating in the exchange of stolen goods.

This put Nicholas into a double bind. Despite the crushing blow of losing six figures of assets, which included the Bored Ape he used as his Twitter identity, he had to, as he says, “make buyers whole” since they had collectively spent hundreds of thousands of dollars on NFTs that were suddenly unsellable.

The NFT community has begun to develop a playbook to deal with the fallout from scams, which involves raising funds to buy back stolen and flipped goods. This typically includes community fundraising, where generous users donate excess Ethereum or in-demand NFTs, while artists often pitch in with NFTs they’ve created themselves. Oftentimes, victims are given zero-interest cryptocurrency loans, which they can use to invest or start their own artistic projects to get back on their feet. Rescue bots with names like “Cool Cats Rescue” and “dogemaster42069” patrol the marketplace, making automatic lowball offers to liquidity-starved scammers so the NFTs can be returned to the original owners at fairer prices — and sometimes for free.

Nicholas connected with Sohrob Farudi, an NFT collector who’d lost what he estimated was 250 ETH, or $800,000, after scammers had deceived him by impersonating the Bored Ape Yacht Club founders. Together they started a community fund to buy back the stolen NFTs that had been frozen. By raising NFTs from the community, they were able to resell the donations for roughly 10 percent of the value of the stolen assets, or a still-impressive sum of 32 ETH. The rest has come out of their own pockets.

“I felt horrible that something that happened to me impacted all these other people. It isn’t fair that my stolen items ended up in innocent buyers’ wallets and are now locked,” Farudi said.

While the fund has reunited Nicholas and Farudi with some of their prized assets, the process has not all been easy. Soon after the scammers sold the Bored Ape Yacht Club NFTs, the perceived market value skyrocketed on the heels of a Sotheby’s auction announcement and an expansion of the Bored Ape ecosystem called “Mutants.” While most buyers returned the NFTs at cost, some ape buyers were not willing to return their inflated NFTs for what they paid. After significant negotiation, Nicholas and Farudi were able to settle with the large majority of the buyers. One ape remains. “We may have to just let it go,” Nicholas said.

Despite the stereotype of a cryptocurrency space subject to highly-complicated hacks, such as when an anonymous hacker stole over $600 million in cryptocurrency (and later returned all of it), the scams used on Nicholas and Farudi were verifiably low-tech. There was no venomous code; it was fake Discord channels and fake names.

In response to the two high-profile scams, OpenSea has apologized to Nicholas and Farudi. The platform also added an SOS button, which allows users to lock their own account should they believe it to be compromised. MetaMask, the wallet service Nicholas used, has temporarily disabled the QR code which gives access to a user’s keys, since scammers have exploited the feature through victims’ screen share function on multiple occasions. While Discord has some security features to prevent impersonation, such as unique four-digit number tags on top of a non-unique username system, some users feel that the latter still enables opportunities for abuse.

For Nicholas and Farudi, their lives were upended in a matter of hours. Nicholas compared the feeling to PTSD, and Farudi says the psychological trauma has made him paranoid whenever he clicks on his MetaMask. If anything could have brought them back into the space, it was the social connections that drew them in the first place. “It’s a story centered in community. This bad thing happened and the community rallied,” Nicholas told The Verge. “There are so many people who have reached out and said, ‘Look, the same thing happened to me. And I’ve been ashamed, and I haven’t said anything. And I didn’t do anything about it because I know better.’”

“If this is what it took to close a vulnerability, and now other people won’t suffer the same fate,” Farudi added, “I feel good that we went out and did what we did.”

Verge Deals

The best Black Friday deals you can get right now

Gaming

GameStop’s best Black Friday deals: games, accessories, and more

Verge Deals

The best Black Friday streaming deals for Hulu, YouTube TV, and more

View all stories in Tech

Comments

What the hell even is this bullshit NFT pictures of cats and dogs stolen through Discord helpdesk. Is this satire?

Just because you don’t understand something, doesn’t make it satire.

I mean, the joke is that it does sound like satire. Think about it, a discord helpdesk? Digital pictures worth thousands? NFTs? Just a couple years ago someone telling me this and I would think it’s an article from the Onion.

That’s the thing though… things change.

"buying clothes off the computer? A couple of years ago if you told me that I’d think it’s satire"
"seeing a doctor and getting prescriptions on your phone? A couple of years ago……"
"letting a stranger come and stay in your spare room? A couple of years ago…."

If this isn’t an official fallacy it should be. What you are saying is that we shouldn’t balk something with (to us who balk) glaringly obvious faults and downsides because other things that people fought against ended up working well.

What I am saying is that pretty much all those other things (like online shopping, telemedicine, airbnb etc) also had faults/downsides. And to some at some point in time, they probably looked like show stoppers for some people who thought those things were idiotic.

My approach to these things is that, if there is a weird thing that seems to be full of obvious faults/downsides, but still a lot of people are doing it (especially younger folks), then I try not to discount it as dumb. I try to learn about it, dip my toes in it, and stay current with it. I don’t want to be like the dinosaurs who didn’t understand the steam engine, air travel, electricity, the computer or the internet…

Yeah, but all of those are physical goods. Many people went from buying 20+ CD/DVD a year to 0.

Just about everything in the NFT space currently is a scam. It’s gonna take a long time for any of it to be worthwhile or legitimate.

This is a good take that a lot of people even in the NFT community will agree on.

This implies that there are NFTs that aren’t a scam…

At least during the Ditch Tulip Mania they had some nice flowers, all we get out our current shared delusion is a few mediocre jpegs.

So, a scam on top of a scam? Just because a few folks bought into the joke in the first place hoping to get-in-early and cash in big (boy, does that not sound like the start of Every Scam?) we’re supposed to believe otherwise?

Always a consistently rosy and optimistic this-is-the-future-get-in-quick editorial angle on NFT from Verge. Which senior editor(s) bought into NFTs and are going to look realllllly stupid if Verge doesn’t continue to do its job to promote NFTs as anything other than a scam?

"It’s perfectly fine that this unregulated speculator hellhole that trades something less tangible than TF2 hats is full of scams. The community crowdfunds support for hundreds of thousands of dollars of stolen assets while the scammers get away! See, totally sustainable!"

I think this is actually hilarious.
And a pretty good showcase of why humans are stupid.
Smart and reedy people selling worthless shit.
Dumb and greedy people buying worthless shit.
Bad and greedy people stealing worthless shit.
I love it

Good to see The Verge actually report on new technological/cultural trends without overlaying the writer’s personal spin of it.

It seems almost paradoxical that a space whose users are generally fluent in traditional cybersecurity can become victims so easily

This is a pretty ridiculous assumption to make. I have not met a single person who is into the whole NFT scenario that’s even remotely tech-savvy, let alone fluent in traditional cybersecurity.

My favorite part of the NFT scam-fest is a bunch of non-technical internet people claiming that "Web 3.0" is the future and blah blah blah and then if you spend like half an hour figuring out what the fuss is about it’s the world’s least performant Key-Value store which arbitrarily requires wasting a ton of electricity and gets you a sort of decentralized "guarantee" that transactions haven’t been modified except oh wait only a small handful of miners in corrupt countries where people are able to get free energy actually control 99% of transactions.

I was scammed in the same way and lost about 150ETH. This happened 2 days ago and the police have not provide any updates. I am wondering if anyone can help me connect to the two person mentioned in the article who managed to get their money back. Please help!!!

I think we can file this one under the "play stupid games, win stupid prizes" category. Of course the NFT community is going to be full of scammers. NFTs are sort of like video game cosmetics/lootboxes, except basically unregulated and somehow with even less utility…

View All Comments
Back to top ↑