Seed Phrase Scams

Description: Your wallet software, exchange account, or something similar, needs you to verify your seed phrase, for security, KYC, or other legitimate reasons. You lose all of your crypto and NFTs.

What is happening: There is NO legitimate reason why any service or project would need your seed phrase. It will never happen. This is an extremely convincing fake application, prompt, website, email, etc. There are other ways to verify security, identity, etc, your seed phrase is never used for this.

How to Mitigate:

• The only time you ever need to use your seed phrase is when you decide you want to recover access to an old wallet. It is a decision you make, it is never an external request.

• If you use a hardware wallet, you'll never enter the seed phrase into your computer only on the hardware device itself. If the hardware wallet software on your computer asks for it, that is a scam. Something is impersonating it.

• If you use a mobile wallet, you'll only enter the seed phrase into the wallet app after you choose to begin the recovery process. If the wallet app prompts you for the seed phrase, that is a scam. Something is impersonating it.

Token Approval Hacks

Description: A project is impersonated, or its website is hacked, and you sign a transaction approving the spending of your tokens. Or you made an approval previously, and the site/tool is later hacked. That approval is used maliciously and your tokens are withdrawn from your wallet.

What is happening: When you want to perform a swap or any other action that means a smart contract needs to interact with an ethereum token you own, you have to first approve that smart contract access to your tokens. Once it has this approval, it could then move your tokens on its own if it wanted to. Approving a small amount of access costs the same in gas as approving a lot, so often suggesting you perform an "unlimited approval" for access to that token, instead of only approving the exact amount needed at that moment.

Example: You want to swap 100 Dai for Eth on Uniswap. You first need to approve Uniswap's ability to access your Dai. You could approve only 100 Dai worth of access, but what if you want to swap more Dai in the future? Doing a single "approve all Dai" transaction now means you don't need to approve more Dai before any future swaps. This saves the user gas and speeds up future trades. But what if a bug is later found in the Uniswap smart contract, allowing a hacker to access this unlimited approval?

How to Mitigate:

• You can edit the transaction to only approve the amount of the token you wish to swap, or a smaller amount that reflects how much you would like to trade in the near future. Here is an example of how to do this.

• Try the Revoke.Cash browser extension which tells you when you are about to sign a approval and didn't realize it.

• Try the Fire browser extension which tries to explain in simple terms what a transaction does.

• You can, every now and then, check and revoke any old approvals you have made in the past. You can do so here: https://etherscan.io/tokenapprovalchecker.

Message Signing Scams

Description: A malicious or hacked service asks you to sign a message with your wallet, seemingly for something innocuous. Then your NFTs are stolen from that same wallet.

What is happening: You can use your ethereum wallet to perform gas-less actions, where it is not required that a transaction be submitted on-chain and gas be paid. For example voting in a DAO with Snapshot, getting exclusive access to a discord channel by verifying you control a wallet that owns a certain NFT, or listing an NFT for sale on OpenSea. These use cases are common and generally positive. But if someone tricks you into signing a message you don't understand, it could instead be to do something like listing your NFTs for private sale to the hacker at near-zero prices.

How to Mitigate:

• Only sign messages you understand for services you trust

• Try the Revoke.Cash browser extension which tells you when you are about to sign a approval and didn't realize it.

• Try the Fire browser extension which tries to explain in simple terms what a transaction does.

• Don't sign messages promising free money without first checking the project is legit, or that it's not impersonating a legit project. Just go ask and wait, if it's time sensitive its a scam.

• Use the Hot/Cold wallet method described at the top of this page and don't sign with your Cold wallet. A signed message only covers the wallet that signed it.

Airdrop Scams

Description: You see a project you like airdropped you a new NFT or Token! You go sell it, or you follow a website link in its description or transaction details. Your wallet is suddenly compromised and you lose your crypto and NFTs

What is happening: It wasn't a real airdrop, it was a scam that pretended to be the project you like. The way in which this can go wrong varies based on the attacker and the complexity of the scam. It might be a poison asset, something that looks like a normal Token or NFT, but when you interact with it (selling) it behaves in unexpected and malicious ways that are hard to predict. Or it might link you to a site that infects your computer or engages in one of the other scams listed above.

How to Mitigate:

• Don't do anything till you verify the airdrop is real. Never follow the link given to you by the airdrop, it can lead to a very convincing fake. Instead, go to that project's site or discord on your own to confirm the drop is real.

• Wait and see. Generally, things with extreme time pressure are scams. Legitimate projects take the time to avoid FUD

• Anyone can airdrop to any address, so consider airdrops the same thing as a spam email. You wouldn't click a link in a spam email right? You would first check via a different communication medium if it is legitimate and go directly to the source.

Virus/Trojan/Malware

Description: You go to a website or click a link. The crypto and NFTs in your wallet start to vanish.

What is happening: You got a virus, or a hacker was able to access your computer, and you were not using a hardware wallet. Not using a hardware wallet means the keys used to access your crypto assets are stored on your computer, for anyone to steal. Here is a similar story, and what they did next to stop it.

How to Mitigate:

• Get a hardware wallet. With a hardware wallet, your keys don't live on your computer.

• A hardware wallet vastly reduces this risk but doesn't remove it. With a hardware wallet, you need to approve a transaction, so nothing will happen without you approving it, but a virus could still infect your MetaMask and alter the transaction you are approving. Verify the transaction on the hardware wallet's screen before approving it.

Sharing your screen

Description: You are receiving technical support and they ask you to share your screen to help diagnose an issue. You do so, and after a moment Crypto and NFTs start to leave your wallet.

What is happening: The technical support, while appearing legitimate, was actually scammers. While sharing your screen they had to click through to something that seemed harmless but revealed to them some useful information. This could be your seed phrase, a "pairing" code for letting your mobile device access your computer's wallet, or some other trick.

How to Mitigate:

• When troubleshooting a crypto problem, never share your screen.

• If it seems required to solve the problem, take a moment. End the support session, think it over and get some advice, and try again later. You can get advice in a reputable crypto community.

• Don't use the contact details they gave you when trying again later. Go to the service's website, and submit a new request. This might add delay, but patience is the best defense.

• If it seems like they still need you to share your screen, offer to send screenshots instead. Search them first for any sign of compromising information.