“Not your keys, not your crypto” – FTX really brought that one home.
Alameda Research misappropriated $8 billion of assets stored on FTX. It was a bitter object lesson in the value of custodying your own tokens.
Are your tokens actually safer in your wallet than on an exchange?
Your keys and your crypto are your problem. If you sign the wrong smart contract, you could lose everything instantly with no easy path to recovery.
The crypto scam economy has topped $1 billion in value every year since 2021, says a Federal Trade Commission report.
According to Chainalysis, the number of transfers to impersonation scammers is up by 49% so far in 2023.
Despite the hard lessons of past losses, as a community, we’re falling for more scams than ever.
Wallet drains and other scams have happened to some of the savviest traders on the planet – so yes, it could happen to you.
If you’re going to custody your own tokens, which I endorse, you need to be aware of what kind of scams are out there and best practices for avoiding them.
Head on a swivel
Crypto scammers are a professional class. Their attacks are sophisticated and ever-evolving, and they operate at scale.
Take the Magic Eden NFT exploit from earlier this year. Hackers were able to exploit a bug within one of the platform’s newly launched tools to list over a dozen fake NFTs from purportedly high-value collections.
These looked like legitimate assets on a platform users trusted to carry verified tokens. The scammers acted quickly and untraceably, making off with $15,000 worth of SOL before getting shut down.
More recently, Vitalik Buterin’s personal X account was hacked. The scammers posted a false offer for a free NFT that exposed victims to a wallet drain account.
Several high-profile collectors were fooled, and the scam netted an estimated $691,000 worth of ETH stolen assets.
Both these attacks hoodwinked experienced traders because both of them suborned trusted sources.
Magic Eden’s users received a refund from the platform, however. Such refunds are by no means guaranteed, but they are at least possible.
Those taken in by the Vitalik Buterin impersonation scam had no recourse.
Zero-trust trading
The lesson is clear – when you custody your tokens, you must scrutinize every transaction even when you trust the source implicitly.
Websites you’ve visited before could be under a front-end attack. A friend with a hot tip could have been hacked.
To protect your self-custodied assets, you have to start from the assumption that each transaction is a scam and proceed only when you’re completely satisfied it’s legitimate.
There are a few low-tech best practices that can help you avoid most scams, including phishing attacks, bait and scam sites, and impersonation attacks.
- Read the link aloud. This is web security 101 – hackers often use barely misspelled URLs to spoof trusted sites. A gibberish URL will strike most experienced traders as instantly suspicious, but they might not blink at ‘dai1yhodl.com.’ Reading the link aloud forces your brain to slow down and stop mentally correcting transposed characters or notice if there’s a ‘1’ instead of an ‘l’.
- Avoid free lunch. The days when traders could strike it rich with a free mint are long gone. These days, a giveaway, free mint, or similar is far more likely to be a backdoor to your wallet than a window of opportunity.
- Get social. The crypto community is nothing if not extremely online. Any legitimate source will have rich engagement on their social profiles – not just posts and followers, which could be window dressing and bots – but also comments and replies.
- Don’t rush. If you’re being pushed to make a transaction decision before you have time to thoroughly vet it, think about why that might be.
- Google it. Even if everything looks above board