7 NFT scams to look out for

Nonfungible tokens (NFTs) are one-of-a-kind digital assets that live on a blockchain with unique identifiers and data. Blockchains — public ledgers on a network — verify NFT transactions, and may have smart contracts built into them so NFT creators earn royalties from sales.

Many artists, musicians and creators use NFTs as a way to earn income. However, scams are rampant since NFTs are easy to create and exist solely online.

From old-school email phishing to malicious rug pulls, there's quite a few categories of crypto and NFT scams.

7 NFT scams to watch out for

Many scammers go great lengths to get their hands on someone else's digital assets. These scams are often sophisticated, difficult to spot and could take place over the course of months or longer. Here's seven scams to be aware of and how to avoid them.

1. Phishing

Phishing scams aren't new, but with NFTs, this tactic can cause a catastrophic loss.

A phishing scam is when a con artist tries to get information out of you, usually personally identifiable information (PII) such as your birthday, home address, driver's license number, medical records, social security number or more. If the scammer gets this information, they may sell it or use it to open accounts in your name.

With NFTs, these scams often involve a fake representative of a wallet requesting you to verify your wallet's private keys or passphrase. Your keys and passphrases protect your crypto wallets — if someone gets this information, they can access your wallet and steal your digital assets.

DeFiance Capital founder Arthur Cheong was a phishing victim on March 22, 2022 — just over US$1.7 million worth of NFTs were stolen from his cryptocurrency wallet, as reported by Fortune.

Cheong states he was the victim of a spear-phishing email, disguised as a company on DeFiance's portfolio. When he clicked a link in an email, he allowed a hacker to get his wallet passphrase. A few notable assets stolen include two Tsubasa, two Hedgies and 33 Second Self NFTs.

Image source: OpenSea Second Self collection, Second Self #5652

How to avoid:

• Never give out your wallet's private key or passphrase.
• Avoid strange links in emails sent from unfamiliar addresses.
• If you're asked to verify your PII, do so with caution and be sure it's a trusted source.

2. Catfishing

It's likely you've heard this term within dating apps and social networks, but catfishing isn't limited to individuals looking for love under false pretenses.

Catfishing scams with crypto often involve scammers creating fake social media profiles, then contacting victims to get personal information, sending a malicious link or get a user's wallet passphrase to steal their assets.

There are reports of catfishers sending fake crypto wallet sites to victims, encouraging them to sign up and deposit funds. That's when the scammer takes your assets. Scammers may use fake business or romantic relationship grooming tactics.

How to avoid:

• Look for profile verification (such as the blue check mark) if a company or brand messages you before continuing a conversation.
• Don't click on links sent from users you don't know.
• If a company or individual messages you, look at their page for followers, engagement and the age of the profile. A brand new user with few followers or friends may be a red flag.
• If an individual messages you and you're suspicious, use Google's reverse image search tool to see if the profile picture is stolen.
• If someone you don't know wants to start a business or romantic relationship, do your best to verify their identity. Reculantance to meet over video calls is a telltale sign of catfishing.

3. Fake airdrops

An airdrop is a marketing stunt where a company or developer gives away free cryptocurrency or tokens to users, mainly as a way to spread news of a new product or service. Airdrops are real, and participants get free tokens or coins, but the key is to remember that they're always free.

If someone contacts you and asks for a payment before receiving an airdrop, it's a scam. And often, airdrops are awarded to users for holding a specific coin, completing a task or scavenger hunt, or by scanning a QR code — but should never require a deposit or payment.

If the airdrop asks for your wallet's private key, it's a scam, since getting crypto only requires your public key. These airdrop scams can be sneaky, often involving scammers creating counterfeit sites.

Recently, a fake Rarible site advertised an airdrop asking users to send between 500 to 25,000 RARI (Rarible's native currency) to an address, and in exchange would receive 5X times the amount back. However, participants never receive anything back and instead are conned into paying the scammer.

Many of these classic scams use odd language including strange grammar, and promise victims an amount after sending a deposit. Avoid "airdrops" organized like this — it's not real.

Image source: Security Boulevard, screenshot of counterfeit Rarible giveaway scam

How to avoid:

• Disregard airdrops asking you to put up crypto as a deposit to "secure" your spot for an airdrop, it's likely a scam.
• Avoid airdrops requiring you to provide your wallet's private key or passphrase to receive an airdrop. Never give out this information. Your public key is your wallet's address and is comparable to an account number, which can be shared — but never share your private key.
• Be wary of emails announcing an airdrop with spelling mistakes or grammar issues.
• If you're contacted about an airdrop that advertises a large amount of free cryptocurrency, be wary. The coins handed out in airdrops are typically in very small amounts.

4. Rug pulls

A rug pull scam is when a company or developer creates a new crypto project, pumps up their asset's value then pulls out, taking the money and running while leaving their investors with a valueless asset. There are a few ways this can be done, and rug pulls aren't always considered illegal.

• Liquidity pulling or stealing. When the developers remove (steal) unlocked tokens from a liquidity pool, so the rug puller can sell them off.
• Limiting sell orders. Taking away an investor's ability to sell tokens so they're locked into their investment.
• Dumping. When the developers sell all their own tokens or slowly sell over time to cash out, dropping the price and leaving investors with worthless tokens.

Rug pulls also come in two forms: hard and soft. Hard pull scams involve developers planning on walking away from the get-go, or adding malicious code to a token from the start. A common hard rug pull is a liquidity pull, when the token creators take everything out of the liquidity pool making the price of the token zero.

A soft pull may involve the creators selling a large supply of tokens, or selling in increments, driving the price down so much that the investors have nearly worthless coins. A soft pull is harder to identify, because it may happen over a longer period of time than a hard pull, and it's harder to prove that the developers had intent to do a rug pull. And developers selling their tokens isn't illegal, since it's a free market.

Another type of rug pull is when a developer of a specific project promises to donate the proceeds to organizations or charities, but instead takes the money and runs. This isn't technically illegal, just unethical — so there isn't much to do if you fall into one of these rug pulls.

A recent example of this is Doodled Dragons, a verified NFT collection that promised to donate proceeds to charitable organisations. The creator announced a donation of US$30K to the World Wildlife Fund (WWF), but instead, the creator took the money and ran. They even announced the rug pull on Twitter from the now-deleted account just two minutes after announcing the US$30K donation.

Image source: Reddit, u/TheGreatCryptopo on r/CryptoCurrency

Rug pulls are devastating, since investors aren't likely to get any reparations after the fact. And if there's no evidence of ill intent, it may not even be classified as illegal.

How to avoid:

• Consider investing in long-standing projects with well-known tokens.
• If you have the skills, you may be able to identify code that disables an investors ability to sell, or identify other malicious code.
• If you want to put your tokens in a liquidity pool, read the terms and conditions. Avoid liquidity pools where the tokens aren't locked, because the developers could sell everything whenever they want. Tokens are safer when locked in liquidity pools.
• Be wary of projects that appear suddenly. Legitimate developers take time to create new tokens, and many try to build hype with announcements, social media campaigns and possibly airdrops over the course of months or even years.

5. Fake NFTs

A fake NFT involves a scammer taking someone else's work, minting it and selling it on the marketplace under the guise of the original creator. Fake NFTs may include plagiarised work or fraudulent accounts pushing stolen content.

Bored Ape Yacht Club is one of the top NFT collections to date, so it's not surprising that there are copycat and plagiarised collections rampant across NFT marketplaces.

How to avoid:

• Look for accounts that are verified on NFT marketplaces, or seek out official collections.
• Consider collections with a long-standing history.
• Compare suspicious NFTs to the official collection for differences in resolution, format, creator name and size to help determine if it's legitimate.
• Accounts with few or only one NFT can be a red flag.
• Look at the metadata of your NFT you plan to purchase. Metadata can be used to verify an NFT's authenticity using a blockchain explorer.

6. Hacks across platforms

A sitewide hack on a cryptocurrency exchange or NFT marketplace can hurt. Unfortunately, whether or not this happens to you largely depends on the site's security. However, to minimise risk of becoming the victim of a platform hack, choose a well-known site with proven security measures.

If a platform hack involves individual third-party wallets, there may not be anything the platform can do.

But, the good news with sitewide hacks is that you may be reimbursed if it's proven that it was the platform's fault, or if the hack affected the platform's own content management systems.

For example, in January 2022, Crypto.com was hacked, but soon after the breach, affected customers were reimbursed and impacted accounts were fully restored, according to The Verge.

Social media accounts, Discord servers and subreddits are no exception to hacks, either. Fake accounts may spam forums and chats with malicious content or false information, or pretend to be customer service. If you're suspicious of any recent activity on a site or server, contact the company directly.

How to avoid:

• Consider only signing up for exchanges or NFT marketplaces that have a long standing in the industry. Their security measures may be more tried and true.
• If you're an account holder on an exchange with multiple high-value NFTs, consider keeping the majority of your assets stored offline in a cold wallet. Cold wallets are only online while plugged in vs. hot wallets, which are always online.
• Read a platform's terms and conditions to see how it handles major security breaches, and how it plans to reimburse victims of theft.

7. Sleepminting scams

Sleepminting is when a scammer uses another artist or creator's account or wallet to create a fake NFT. A scammer mints an NFT to the wallet of another creator, transfers ownership to themselves, then lists it for sale on a marketplace — giving the illusion that a legit developer created the NFT, thereby "proving" authenticity.

This scam is difficult to spot, especially if the NFT was minted to a verified creator's account and listed for sale on a legitimate NFT marketplace.

How to avoid:

• Consider following NFT creators on social media and look for news signaling official drops. NFT creators are often on Discord, Twitter and Reddit.
• Consider direct-messaging a creator about authenticity if you're suspicious of a sudden listing.
• Look at your NFT metadata and read the transaction and ownership history. Consider it a red flag if an especially famous NFT creator is giving away valuable NFTs to wallets for free, or a seller lists to other users at very low prices.

How to verify an NFT

Many argue that verifying an NFT's authenticity is easy, thanks to blockchain technology. However, in the case of sleepminting, NFTs are forged.

One way to verify an NFT's authenticity is to use a blockchain explorer — like Etherscan.io — to look at an NFT's metadata. This is done by entering the NFT's hash: a unique string of letters and numbers that identifies it.

A blockchain explorer — sometimes called a block explorer — lets you view blocks, transactions, fees, mining activity and more. Using this wealth of information, you can see an NFT's ownership history and how often it's been traded to help you verify authenticity.

Finder survey: How risky do Australians of different ages think cryptocurrency investments are?

6 NFT fraud prevention tips

Keep these fraud prevention tips in mind before heading out to the wild west of NFTs:

1. Keep your secrets — Never give out your crypto wallet's passphrase or private key. Your wallet's private key is proof of ownership because it's tied to your owned NFTs.
2. Avoid poor platforms — A poorly-built website can be a sign of a scam. Con artists aren't likely to take the time to develop an attractive and functional website.
3. Choose verified creators — Consider only buying NFTs from verified accounts, or from the creator themselves.
4. Avoid shady projects — Avoid crypto or NFT projects that appear out of nowhere, or projects with anonymous contributors.
5. Shun the bad links — Don't click on links unknown users send you, especially if the link is a combination of numbers and letters (such as "https://link.app12wevd545sf4")
6. Use cold wallets — Storing your NFT(s) in a cold wallet is generally safer than using hot wallets. Cold wallets are only online while plugged in, making them less susceptible to hacks and theft.

Follow your gut — if there's a red flag, don't ignore it. And if it sounds too good to be true, it probably is.

Compare NFT marketplaces

1 - 5 of 19

Product GXFCY-NFT	Categories	Services	Blockchains	Payment methods
CoinSpot NFT Marketplace	Sports, Collectibles, Art, Music, Trading cards, Domain names, Metaverse (Virtual Worlds), Memes, DeFi	Buy, Sell	Ethereum, Polygon, Klaytn, Flow, Enjin, Chiliz, Hive, EOS, SOL, GALA	Cryptocurrency, Bank transfer	CoinSpot lets you buy, sell and swap 100s of cryptos from its simple-to-use desktop or app trading accounts.	Go to siteView details Compare	loading Fetching your data...
Binance NFT Marketplace	Sports, Collectibles, Art, Gaming, Music, Trading cards, Domain names, Metaverse (Virtual Worlds), Memes, DeFi, Mixed	Buy, Sell, Mint	Ethereum	Credit card, Debit card, Cryptocurrency, Bank transfer	A peer-to-peer marketplace supported by one of the world's largest cryptocurrency exchanges, Binance.	Go to siteView details Compare	loading Fetching your data...
Splinterlands	Collectibles, Gaming, Trading cards	Buy, Sell, Stake	Hive	Cryptocurrency, PayPal	Splinterlands is a digital, play-to-earn, collectible card game built on hive blockchain technology.	Go to siteView details Compare	loading Fetching your data...
mintNFTs	Sports, Collectibles, Art, Gaming, Music, Trading cards, Domain names, Metaverse (Virtual Worlds), Memes, DeFi, Film & TV, Photography, Mixed, Books, Media File, Templates, Metaverse	Sell, Mint	Ethereum, Polygon	Credit card, Debit card, Cryptocurrency, PayPal	Go to siteView details Compare	loading Fetching your data...
SoRare	Sports, Collectibles, Gaming, Trading cards	Buy, Sell	Ethereum	Credit card, Debit card, Cryptocurrency, Bank transfer	A fantasy football game with collectible NFT cards, officially supported by the biggest soccer leagues in the world.	Go to siteView details Compare	loading Fetching your data...

loading

Prev

1 2 3 4

Next

Written by

Bethany Hickey

Writer

Bethany Hickey is a writer for Finder, specialising in car and life insurance. She has ontributed to multiple automotive sites including CarsDirect, Auto Credit Express, Drivers Lane, and The Car Connection. She has a Bachelor of Arts in English from the University of Michigan-Flint, and has always been fascinated by digital content’s impact on current writing practices. When Bethany isn’t writing, she’s either crocheting or playing cozy games on her Switch. See full bio