Newsletter #47

👉🏼 Want to make an impact on the NFT scene? Here’s your chance: Lazy.com is hiring a web3 front-end developer with React experience. Tens of thousands of collectors use Lazy.com to display their NFTs. Shape what they see. Apply now by sending a sample of your work. 👀


Once you’ve curated your collection of NFTs, it is crucial to keep them safe. Clearly no one wants to get hacked. So how can you prevent it? This week we’re going to analyze three common hacks and how to avoid them.

1) Discord Hijack

In a Discord hijack, a hacked admin posts a link to a fake mint.

Imagine you’re hanging out in the Discord of a new and exciting NFT project when you see an urgent post from an admin announcing a surprise mint. Wow, right!? You rush to send your hard earned eth only to discover that the admin’s account had been hacked and the mint was fake. Welcome to the new wave of Discord hijacks.

This kind of attack is becoming more common. In recent days CryptoMories and Rare Bears were both hit. Protecting yourself from Discord hijacks can be difficult because the hackers will often move quickly and ban other admins who could alert the community to the fraud. The best defense is to be skeptical of any previously unannounced surprise mints.

2) Phishing Websites

The phishing site will ask for approval to transfer (ie, steal) your NFTs.

This time you’re hanging out on Twitter, proudly displaying your Bored Ape Yacht Club NFT, when you receive a message promising to animate your NFT. Very cool! When you visit the site, it prompts you to connect your wallet and submit a transaction. You accept and your BAYCs disappear forever. This week a Bored Ape Yacht Club member fell for this scam and lost 3 apes ($900K).

To guard against this type of hack it is important to remember that any transaction you sign or submit on a website could potentially interact with your NFT’s smart contract. That’s because smart contracts live on the blockchain and any website can interact with the contracts. So the best protection is to be wary of completing transactions on websites that you don’t 100% trust.

Oh, and by the way, if someone is offering to create an animated version of your BAYC then they don’t need you to submit a transaction on the blockchain. That’s why there is some truth to the old “right click, save as” meme.

3) MetaMask Compromise

The third kind of attack is more sophisticated than the other two and it has been proven to work against technically savvy crypto users. In fact, this week a prominent crypto VC fell victim and lost over a $1.7m worth of NFTs.

The hack begins with a phishing email or message pointing to what looks like a very interesting shared Google Doc. When the user clicks on the link, their computer is unwittingly infected with malware that compromises their MetaMask. Once the user’s MetaMask has been replaced with a malicious version, the hacker gains access to their wallet seed phrase and can also spoof transactions.

To protect against this attack, aside from not clicking on links, it is important to periodically check that your MetaMask has not been replaced with a malicious version. To do this, in Chrome, click Window -> Extensions and make sure that “Developer Mode” is ticked OFF. 

Thank you for reading Lazy.com’s Newsletter. Was this post interesting? Feel free to share it.

Share


We ❤️ Feedback

We would love to hear from you as we continue to build out new features for Lazy! Love the site? Have an idea on how we can improve it? Drop us a line at info@lazy.com