Web3 security best practices are not your dad’s Web1 worries. Because of the massive amounts of capital stored on blockchains, scammers of all stripes have become incredibly sophisticated, sometimes playing much longer cons than you might imagine.
For instance, a February 2022 Twitter thread from ArrowDAO founder @thomasg.eth details a two-week-long social engineering scam that nearly cost him all of his ETH.
Actor Seth Greene famously lost his Bored Ape and several other NFTs in a recent phishing scam that nearly derailed his planned TV show starring said Ape (whose name is Fred, FYI).
These brushes with fate could’ve easily been avoided with some simple best practices that we will detail in this post.
Nota bene: It should be noted that we are still in 1995 as far as Web3 maturity goes. Here be dragons, yes, but The Forces of Good learn and adjust with each hack and scam. If I get a tad redundant in this article, it’s for your own good.
Wallets, Passwords, & Private Keys
Don’t keep everything in one wallet.
Just as you wouldn’t keep your checking, savings, 401(k), house deed, and car title in your back pocket or purse, you shouldn’t keep all of your crypto assets in a single wallet (or, God forfend! an exchange)
…ARE NOT WALLETS! Exchanges turn to delicious turkeys in the cartoon eyes of black-hat hackers everywhere and are thus the most highly targeted destinations in all web3. Don’t keep anything you wouldn’t mind losing in an exchange.
Hot wallets are software wallets that live online. They are vulnerable to all sorts of attacks — like Seth Greene’s $300,000+ mistake. Hot wallets should be used for storing low-priced assets, planned flips, and expendable (i.e., non-investment) crypto.
Cold Wallets & Multi-Sig Wallets
These are the safest options for storing investments and grail NFTs (i.e., high-ticket items).
Cold wallets are storage drives that keep your crypto-assets stored offline, which is as impervious to bad actors as it gets — unless you fall for a social engineering scam (more on that below).
A multi-sig wallet is a digital wallet that operates with multi-signature addresses. This means that it requires more than one private key to sign and authorize a crypto transaction, or, in some cases, several different keys can be used to generate a signature.
Use a password manager
Even if you only use web2, this is essential. Don’t re-use passwords. Don’t use simplistic passwords. Don’t use your birthday or kids’ names. For most passwords, you shouldn’t even know your password. I don’t need to go on because you should just listen to me and use a password manager!
Turn on 2FA
Again, leaning on web2 security best practices, two-factor authentication exists for a reason. Websites are compromised all the time. Passwords are stolen. If you have two-factor authentication turned on — however much an “inconvenience” it may be — you can be sure that your security and privacy are safely in your hands.
Obey private key best practices
Here they are:
- Store your private key OFFLINE. It should not exist on your computer and, for heaven’s sake, not on any cloud server.
- Have at least two copies stored offline. If one gets destroyed, you should have access elsewhere.
- Don’t ever share your private key with anyone.
- NEVER, EVER, EVER share your private key with anyone.
Interacting with Web3
Don’t connect to just any dApp
Scam websites are increasingly legit looking, so it’s important to be wary when a website prompts you to connect your wallet, especially not your primary wallet.
These scam websites come in many different flavors:
Copies of actual websites: There are countless “MetaMask” ripoffs, and they’re not just floating around in Twitter DMs. They are sometimes the top hit from Google Ads when you search. In these cases, one way to protect yourself is to become an eagle-eyed spellchecker. You’ll find variations on a website that look like “The MetaMask” or “MettaMask” or “MataMask.” Sometimes the ending of the URL will be different, perhaps with a .xyz, .co, or some other seemingly acceptable variation. Variations are never acceptable.
FOMO URLs: Cool new projects that seem too good to be true are engineered to induce FOMO and cause an irrational purchase. Hackers gain access to their wallets as soon as a user signs in to one of these fake projects to make a purchase. Game over.
Email and DM phishing: This classic scam involves what looks like an email from a website you regularly interact with embedded with a malicious link that will lure you into a transaction. The link may even contain malware that will crawl your computer for seed phrases. Terrifying, right? Get out the pen and paper and keep your seed phrase in the meat space.
Remove extraneous browser extensions
Be sure that your Chrome extensions are well known and widely used. For example, in March 2020, a fraudulent Ledger Chrome extension asked users to enter their private key, resulting in around $2.5M in stolen XRP.
Don’t click links in Discord or Telegram
These two social channels are the most popular for private comms in web3, but they’re also easily hacked and socially engineered. It’s probably not an overstatement to assume that every high-ticket crypto project has had its Discord or Telegram infiltrated by malicious actors.
When you arrive at any site that prompts you to connect your wallet, your feelers should pop up. Prepare yourself for an investigative turnaround as though you were Columbo stopped in his tracks with just one more question. This is where you bust the baddies.
Avoid sharing too much personal information online
There’s a good reason that perfectly respectable, well-meaning people are still largely anon or — if doxxed — hard to learn much about. Oversharing makes you vulnerable to social engineering tactics. Imagine what someone could accomplish calling your grandmother when they know enough about you to cook up a plausible tragic story that can only be fixed with money.
Verify the identities of people who reach out to you.
It’s trivially easy for a baddie to create accounts to impersonate others. If someone reaches out to you out of the blue on Twitter, try to follow up in Discord or through other means. If anything seems too good to be true — like Elon or Vitalik pinging you to say, “I think you’re cool!” — ignore them. It’s best to assume that neither Elon nor Vitalik think you’re cool.
Be on your guard around airdropped NFTs
Airdrops are often legitimate marketing tactics, rewards for holding a certain coin or NFT, or fulfilling a bounty. But they can also be the ultimate Trojan Horse.
If an airdropped NFT asks for your private key, remember the first rule of web3: Don’t share your private key. If someone asks you for payment before receiving an airdrop, ignore them — and maybe screenshot the request and post it to Twitter.
Airdrops are never “prepaid.” Someone who requests payment in exchange for an airdrop is someone who has no intention of sending you an airdrop.
Social engineering scams
The weakest link in all of security is the human element. Here are a few ways social engineers will catch you when your guard is down.
If you don’t know the person, ignore it. If something sounds too good to be true, ignore it. Similarly, if something sounds TOO BAD to be true, use your Spidey Sense and common sense. Apply this reasoning to every possible channel through which someone could contact you.
Don’t download files from strangers
This is Internet 101, but emotions run high in web3. Just bout every noob and half of web3 veterans think they’re one perfect purchase away from a comfy retirement. Don’t fall for it.
Watch out for fake NFT collections
When browsing NFT collections, especially on open marketplaces like OpenSea, never use a link that isn’t verified and reputable. Projects that look strikingly similar or even identical to popular NFT projects may be harmless, but it’s better to be safe.
Often, even seeming rising stars in the NFT world will be scams, such as Frosties, whose 20-year-old founders nearly made off with $1MM before launching a second scam NFT collection. Best practices dictate that investing in a project whose founders are not fully doxxed poses a definite risk. Use discretion.
Investment scams involve investors forking over crypto-assets to “experienced traders” who either simply keep the money or post fraudulent returns a la Bernie Madoff.
BTC Global defrauded 27,000 investors of more than $80 million. Over some months, excited investors sent money to an investment pool, which they believed was managed by a master trader. If an investor attempted to withdraw money, they were informed that the “master trader” was attacked and could no longer provide services.
Too good to be true = too good to be true.
What to do if you’ve been scammed
If you’ve been scammed through a cryptocurrency exchange or transaction, screenshot all communications with the scammers, gather all other relevant information, and report the incident to the following parties:
- Local authorities
- Your bank
- Your cryptocurrency exchange
- The company that issued the affected wallet
Also, no matter how embarrassed you may be, remember that Seth Greene built an entire show around an NFT that he kept in a hot wallet. (What a maroon!) After you’ve comforted yourself with that information, post your story to as many social media channels as possible. Drawing attention to various scams will be educational for the web3 ecosystem and, hopefully, keep others out of harm’s way.
The entire content of the above article can be summarized thusly:
- Don’t ever share your private key with anyone.
- Be strategic about wallet hygiene.
- Too good to be true = too good to be true (especially in our current bear market).
- Don’t talk to (or click on) strangers.
To quote the sage punk6259, web3 is “like cars before seatbelts right now.” Drive safely.
If you’d like to make suggestions or discuss this article, please contact firstname.lastname@example.org