Within the NFT community, hackers are unfortunately on the rise. Users who engage with the scams shared by hacked accounts have collectively lost millions of dollars in NFT collectibles and other tokens, all because they connected their wallets to what they believed was a legitimate NFT mint or token claim.
As creatives and potential NFT creators, we must consider what responsibility we take over whether a buyer gets scammed or not. This is a small scale example, but a month ago I held a clothing sale on my Instagram stories. I shipped off all the clothes to many girls but alas, one package got lost in the post. Of course, this is not at my own fault but at the fault of the post office. So is it therefore my responsibility to give back the buyer’s money and cover the ‘scam’? It’s a tricky one.
The same dilemma exists within the world of NFT scamming. There’s rising sentiment among creators against reimbursing users who lose assets by engaging with social media scams. Some see that kind of make-good effort as rewarding the reckless actions of users who don’t take precautions, which goes against crypto industry tenets of self-custody, accountability, and performing adequate research.
Either way you decide to go, the attacks have been increasing and so it’s worth thinking about how to potentially protect yourself as someone involved in NFTs.
In the last few weeks alone, the social media accounts of several notable NFT projects, creators, and collectors have been hacked and used to spread scam links. When people engage with these links, connect a wallet, and approve the prompted transaction, it opens them up to having their NFTs and other tokens stolen.
Recent examples of such attacks have included the Ethereum NFT project Nouns, which had its Twitter account compromised on June 27. All told, NFTs worth approximately 42 ETH ($64,000 today) were stolen from 25 users who engaged with the link shared by attackers.
Pseudonymous NFT collector and trader Zeneca had his Twitter account compromised this week, as well, although the extent of the damage to users is unclear. Artist DeeKay’s Twitter account also was hacked recently, along with those of noted collectors Franklin and Keyboard Monkey.
One of the most notable examples to date of a social media hack from a major NFT project is the Bored Ape Yacht Club itself, which had its Instagram account compromised with a fake mint link in April. Yuga Labs estimated the value of stolen NFTs at about $2.8 million and said that it was working to get in contact with affected users. So, yes, the stress is very much real.
Interestingly, in some of the above situations, even creators who compensated users expressed doubt about doing so, at least in the long run, or said they wouldn’t do it again.
According to pseudonymous Nouns co-creator 4156 “while it sucks to say that people shouldn’t be reimbursed for being tricked via your account, these users are engaging in zero-due-diligence activities in an attempt to make fast money, and are ultimately the ones signing messages that authorise [withdrawals] from their wallets,” 4156 wrote in a follow-up thread last week.
He added that most of the users seeking compensation were “extremely unsophisticated crypto users,” and that many could not prove that they had been affected. He came away from the experience “with the feeling that reimbursement was a short-term PR band-aid” for hacks, and that “normalising reimbursement removes the incentive for personal responsibility.”
Others however, disagree with the idea of compensating users who lose NFTs via links clicked on social media platforms. Premint founder Brenden Mulligan believes that attacks via Zeneca and DeeKay’s Twitter accounts were not their respective faults, and tweeted that “paying victims shouldn’t be done in most cases. It needs to be the individual’s responsibility.”
“People need to be careful about their own security,” Mulligan told Decrypt. “Ninety-nine percent of the scams are because people aren’t paying attention, and trying to ape into something without thinking.”
“The user interface for the most popular wallets need to be drastically improved to make it near impossible for someone to connect to a wallet drainer,” Mulligan told Decrypt. “This is a solvable problem, but it’s batshit crazy that it’s so easy to drain a wallet and there aren’t more warnings in place to protect people.”
Education, tech tweaks, and security upgrades could help close that gap, but in the meantime, FOMO (“fear of missing out”) and speculative frenzy are turning some NFT collectors into victims. And creators appear increasingly unwilling to foot the bill.