The NFT scammers are here

Last month, Jeff Nicholas popped into the Discord channel for OpenSea, the popular NFT marketplace, looking for help with a royalties issue. Within minutes, someone by the name of “Pascal | OpenSea” responded, inviting him into a separate Discord called “OpenSea Support Server.” There, he was greeted by “Nate | OpenSea,” given a queue number, and eventually started talking through a resolution process with the two agents. Pascal is the name of OpenSea’s customer support lead, and Nate might have been Nate Chastain, its head of product at the time.

But there was no Nate or Pascal, and Nicholas wasn’t in a customer support channel. He’d been targeted by a group of scammers masquerading as OpenSea employees, and they got right to work. Holding Nicholas in customer support purgatory, they would ping him intermittently, telling him his turn was approaching. By online customer service standards, it was typical — good, even, for how personal they were acting. Tailored messages, an exclusive Discord invite, and multiple team members, all working as fast as they could.

If anything felt off in the conversations, it was that “Nate” kept calling him “my guy.” But between family obligations and customer service exhaustion, Nicholas overlooked the faux pas. After hours of back-and-forth, they casually suggested he share his screen with them. To Nicholas, this was just the next step in the troubleshooting process; for the scammers, their eyes began to glow.

Over the next hour, the scammers wiped out NFT apes, cats, and dogs from Nicholas’ wallet. Because he had shared his screen, they were able to snap a picture of the QR code synced to his private key, or “seed phrase,” quietly gaining full access to his assets. To stall Nicholas, the scammers calmly assured him that the royalty payments were arriving, all while frantically transferring his NFTs away. When his suspicions finally blew over, it was already far too late. The damage totaled about 150 ETH, or roughly $480,000. Soon after he was scammed, he tweeted out a single word: “Fuck.”

As the value of NFTs have increased overall, with certain projects being considered “blue chip” due to high or relatively stable valuations, so too has the threat of scammers. In the NFT space, the word “scam” covers many bases. It can refer to a project whose team rakes in millions off false promises to buyers, also known as a “rug pull”; fake Twitter giveaways of NFTs that farm retweets and followers to give the illusion of clout; and malicious links or persuasive impostors that result in the user unknowingly giving up their private key.

It seems almost paradoxical that a space whose users are generally fluent in traditional cybersecurity can become victims so easily. But in the NFT space, where a culture of community, vibes, and clicking fast on good deals rule, it is the socially-minded scams that are the most compelling. Scammers, whose ploys all depend on gaining a victim’s trust, exploit the same instincts that make the NFT space more a tight-knit community of friends than an assemblage of individual traders. In this climate, Nicholas calls these scams a kind of “social engineering:” conditioning someone to think they are dealing with a friend or trusted community member so that they let their guard down.

The scam used on Nicholas is arguably the most nefarious. If a scammer has control of a user’s keys, they are able to transfer any crypto asset into a separate wallet. All transactions are irreversible by design. If a user immediately realizes their wallet has been compromised, it’s a frenzied race to transfer the most valuable assets into an uncompromised one. In Nicholas’ case, even though he had secured his account with an additional layer of protection — a hardware device that requires him to sign off on transactions — he had been manipulated into thinking he was authorizing royalty payments, and his NFTs quickly vanished.

Because a blockchain like Ethereum is decentralized and allows for anonymity, it is difficult to track down scammers who use anonymous wallets, and victims have few avenues for recourse. “It takes focus to be like, ‘I am my own bank, and I am the custodian of my own money,’” Nicholas said. “I can’t just go through it like when I go to the bank and I’m distracted on my phone. You have to be 100 percent in the moment. Otherwise it’s very easy to miss some signs.”

On the other hand, the blockchain is transparent: every transaction can be tracked, whether or not the destination is anonymous. In the recent case where community cybersleuths discovered that an OpenSea employee traded NFTs on insider information, the unsettling transactions connected back to the employee’s publicly known account; in Nicholas’ case, the scammers’ wallets and the stolen assets remained fully visible, but could reveal nothing about the new owner’s identity.

This meant that while the scammers themselves eluded identification, OpenSea could still identify the scammer’s wallet address. Upon being informed, they were obligated to “lock” the stolen NFTs, preventing them from being traded or resold. But by the time they locked Nicholas’ assets, the scammers had preemptively sold them off to the highest bidders, none of whom knew they were participating in the exchange of stolen goods.

This put Nicholas into a double bind. Despite the crushing blow of losing six figures of assets, which included the Bored Ape he used as his Twitter identity, he had to, as he says, “make buyers whole” since they had collectively spent hundreds of thousands of dollars on NFTs that were suddenly unsellable.

The NFT community has begun to develop a playbook to deal with the fallout from scams, which involves raising funds to buy back stolen and flipped goods. This typically includes community fundraising, where generous users donate excess Ethereum or in-demand NFTs, while artists often pitch in with NFTs they’ve created themselves. Oftentimes, victims are given zero-interest cryptocurrency loans, which they can use to invest or start their own artistic projects to get back on their feet. Rescue bots with names like “Cool Cats Rescue” and “dogemaster42069” patrol the marketplace, making automatic lowball offers to liquidity-starved scammers so the NFTs can be returned to the original owners at fairer prices — and sometimes for free.

Nicholas connected with Sohrob Farudi, an NFT collector who’d lost what he estimated was 250 ETH, or $800,000, after scammers had deceived him by impersonating the Bored Ape Yacht Club founders. Together they started a community fund to buy back the stolen NFTs that had been frozen. By raising NFTs from the community, they were able to resell the donations for roughly 10 percent of the value of the stolen assets, or a still-impressive sum of 32 ETH. The rest has come out of their own pockets.

“I felt horrible that something that happened to me impacted all these other people. It isn’t fair that my stolen items ended up in innocent buyers’ wallets and are now locked,” Farudi said.

While the fund has reunited Nicholas and Farudi with some of their prized assets, the process has not all been easy. Soon after the scammers sold the Bored Ape Yacht Club NFTs, the perceived market value skyrocketed on the heels of a Sotheby’s auction announcement and an expansion of the Bored Ape ecosystem called “Mutants.” While most buyers returned the NFTs at cost, some ape buyers were not willing to return their inflated NFTs for what they paid. After significant negotiation, Nicholas and Farudi were able to settle with the large majority of the buyers. One ape remains. “We may have to just let it go,” Nicholas said.

Despite the stereotype of a cryptocurrency space subject to highly-complicated hacks, such as when an anonymous hacker stole over $600 million in cryptocurrency (and later returned all of it), the scams used on Nicholas and Farudi were verifiably low-tech. There was no venomous code; it was fake Discord channels and fake names.

In response to the two high-profile scams, OpenSea has apologized to Nicholas and Farudi. The platform also added an SOS button, which allows users to lock their own account should they believe it to be compromised. MetaMask, the wallet service Nicholas used, has temporarily disabled the QR code which gives access to a user’s keys, since scammers have exploited the feature through victims’ screen share function on multiple occasions. While Discord has some security features to prevent impersonation, such as unique four-digit number tags on top of a non-unique username system, some users feel that the latter still enables opportunities for abuse.

For Nicholas and Farudi, their lives were upended in a matter of hours. Nicholas compared the feeling to PTSD, and Farudi says the psychological trauma has made him paranoid whenever he clicks on his MetaMask. If anything could have brought them back into the space, it was the social connections that drew them in the first place. “It’s a story centered in community. This bad thing happened and the community rallied,” Nicholas told The Verge. “There are so many people who have reached out and said, ‘Look, the same thing happened to me. And I’ve been ashamed, and I haven’t said anything. And I didn’t do anything about it because I know better.’”

“If this is what it took to close a vulnerability, and now other people won’t suffer the same fate,” Farudi added, “I feel good that we went out and did what we did.”