I almost got hacked! Not because I was naive to hackers’ antiques in tricking users into accessing cloned websites with phishing links. But because I almost fell prey to it due to complacency. If you’ve followed me across social media (Twitter and LinkedIn), you’d know this isn’t my first rodeo with crypto. But my recent experience made me realise irrespective of one’s experience and expertise in this space; no one is genuinely ever above vulnerabilities in crypto. What happened? Let’s get to it!
As part of my usual marketing exercise, I was researching specific branding options for an NFT project I support. This was after I got wind of the news that The Sandbox metaverse project forgot to renew the ENS domain name, sand.eth, and someone else quickly snapped it up and registered it. So I decided to check the availability of the domain name of the project I referenced earlier. Getting on Google and searching for the ENS domains site, I typed “ENS domains” on the search bar. What happened next was interesting. I usually do not click on ads displayed on Google's first page. It's specific to me, but I am particularly immune to clicking ads on Google or social media. As expected, the search results displayed an ENS ad at the top. But this time, I clicked on the ad, which redirected me to my Metamask wallet extension on Chrome. Immediately, I knew what it was, a phishing link! Of course, I wouldn't start inputting my password and whatnot. That would be silly, right. This isn't my first rodeo, remember? So I smiled and closed the page. But here is the kicker…
The screenshot above shows the ad on Google’s first page when you input the ENS domains in the search bar. Notice they engineered the URL to look like the Gitbook link of the official ENS domains platform. But once you click, it redirects you to the phishing site and, within a split second, asks you to give access to your Metamask wallet.
Later the same day, I wanted to swap on Sushi DEX. So this time, I went straight to sushi.com's official website, sushi.com. But immediately after opening my Metamask wallet on the platform, I was immediately prompted to authenticate and give permission for the dApp to access my wallet. Typically, this would've meant nothing. But the thing is, Sushiswap already had access to my Metamask wallet (this is also not a good practice but more on that later), and I don't remember revoking the approval. So it was odd that I was being prompted to give permission again. Then I noticed that this request was from the phishing link I clicked on earlier, and I remembered that I should've clicked "Cancel" even after closing the phishing URL.
And because I didn't cancel it then, that action was waiting for me to authenticate. Had I not been conscious of the little fact that Sushiswap already had access to my wallet, I would have gone away thinking nothing abnormal happened. And would have given an unknown scammer full access to all the funds in my wallet, only to wake up one day to see it get wiped.
Immediately, I tapped on the three dots at the top right corner of my Metamask to see my list of “connected websites”. And voila! There it was, the phishing URL hiding away. I disconnected it immediately to avoid any further mishaps.
This got me thinking about how easy it is to fall prey to these scams. I was lucky because I kept close tabs on the dApps I have allowed access to my wallet. Not even my years of experience could've protected me from that if I hadn’t disconnected access to the phishing link immediately. I might have escaped unscathed, but not everyone could have been so lucky, hence my reason for sharing my story and giving you tips on how to protect yourself from this type of occurrence. So I decided to share this story and remind you guys how easy it is to lose everything in DeFi with a click of a button.
Why anyone can fall prey to scams in DeFi
I have to admit, usually, when I hear stories about how people fall for scams in this DeFi and Crypto space, I do feel bad for the losses. But somewhere in my mind I always feel it's because of their inexperience. My experience reminded me of the phishing attack on Arthur Cheong, founder of DeFiance Capital about 2 months ago. The reality is, that scams in the DeFi space are becoming more subtle and a perennial game of innovative black hats. Even years of experience and expertise in this sector may not be enough to protect you from them if you throw caution into the winds for even a second. We’ve seen the case of OpenSea phishing attack on users in February, leading to losses to the tune of $1.7 million in NFTs. Another 2021 report on DeFi and crypto scams shows that theft and fraud in DeFi are currently over $10.5 billion, a 600% increase from 2020. Let's take a look at some common scams encountered in DeFi.
Common scams in DeFi
Perhaps the oldest scam in the books and probably the most common scam prevalent in DeFi. The case I shared here was an attempted phishing attack. A phishing attack occurs when malicious attackers target sensitive information from users such as their private keys to gain access to their crypto wallets. Scammers do this by cloning original website domains with similar names often wrongly spelt. For example, you could have a phishing site with the name ens.domainz, imitating the official ens.domains website. They lure users to these fake sites or landing pages via emails or ad links prompting them to input sensitive data such as wallet passwords, and recovery phrases or in my case prompt people to authenticate access to their wallet unsuspectingly. Arthur Cheong and the OpenSea phishing attacks are two notable examples. There are many more.
###File extension spoofing
Like phishing, this is also an old form of internet scam where scammers disguise malicious files as PDFs or other file types to get people to download or open them. For example, a malicious executable script file such as the .scr or .exe file format might be disguised as a normal pdf file by changing the file name with the .pdf extension. Then once a victim downloads or opens the file thinking it's a regular pdf, their entire computer will be compromised, giving an attacker full access to all their cookies, passwords and extension data. This means that the attacker can transfer all the assets in your hot wallet instantly.
This form of attack is usually packaged as pitch decks and targeted at artists, influencers, promoters and project leaders. These attackers can get very creative with file extension spoofing tactics that you never see them coming.
Social engineering attacks
This is a well-coordinated malicious attack that can take weeks to years to bring an individual or organisation down. Social engineering attacks rely heavily on human interaction. It employs several strategies such as emotional and psychological manipulation to carry out phishing, pretexting or baiting attacks on unsuspecting victims. ArrowDAO founder, who goes by the Twitter handle @thomasg.eth made a jaw-dropping thread narrating how an attacker targeted him through a well-coordinated social engineering attack that spanned for weeks.
Pump and dump schemes
This usually occurs in bull markets when everyone is high in FOMO mode. Malicious players or devs use this opportunity to launch projects that have no value but present it as the next big thing, misleading people into apeing into the project. Then they employ several marketing strategies to hype up the project and inflate the token's price. This is when those behind the project now cash out their bags, using their investors as exit liquidity. This scam is popularly known as rug pulls, and the famous Squid Game rug pull is a typical example.
A smart-contract attack happens when an attacker finds and exploits a loophole in the codebase of a protocol. This is common and has led to billions of dollars lost from several DeFi protocols. Smart-contract attacks are usually aimed at DeFi protocols and not individuals. But for individuals who use these protocols, smart-contract attacks also affect users significantly. Examples include the Wormhole attack, Axie-infinity's Ronin sidechain attack, and the Poly Network hack.
This is commonly used together with rug pull scams. This is when malicious actors employ the services of influential figures to promote their projects. These influencers don't disclose that they've been paid to shill these projects, thereby exploiting the trust of their followers. Earlier this year, Floyd Mayweather and Kim Kardashian was sued for an exploitative shilling.
How do you protect yourself from these scams?
Of course, nothing assures you of complete immunity from scams when dealing with DeFi and other crypto products. But you can take measures to drastically reduce your exposure and vulnerability to possible DeFi scams. Here is what I recommend;
Secure your crypto wallet - Always keep your private key safe. It is called “private” keys for a reason. Get a hardware wallet such as Ledger or Trezor. Hardware wallets allow you to store sensitive information such as private keys offline in a secure device. Store your large sums and valuable collectibles like NFTs on hardware wallets. However, do not sign any smart contract transactions with your hardware wallet.
Switch browsers - Delete your Metamask wallet extension on your current browser and reinstall it on a different, more secure browser (preferably Brave). Use your new browser for crypto transactions only; never to be used for other online activities. You can use different browsers to carry out other online activities.
Adopt a multi-wallet strategy - Create multiple new wallets for different purposes on the new browser. Just as we separate our finances into different categories such as cash on hand, checking account, savings account etc. It is crucial to adopt the same strategy with crypto wallets to reduce the risk of enormous loss in the case of compromise or theft. Only use your hot wallets for signing transactions and not your hardware wallet.
Take your time - Being in a rush is often the easiest way to get into trouble in DeFi. Always take your time to check and double-check the links you click on. Review every transaction before you sign or approve with your wallet.
Check website URLs - This is super important because most phishing sites replicate URLs of the original sites by making subtle changes that are usually unnoticeable at first glance, like changing or omitting a letter. It is good practice always to check the URL of any website you're on to ensure that you are on the right site.
Download apps from official platforms only - Just as they replicate websites, malicious actors can replicate or create fake apps and use them to carry out phishing attacks. So rather than googling the app you want to download, it is advisable to go straight to the official platforms to ensure you're downloading the right app. Furthermore, do not carelessly download or open random files on the web. Make a habit of always checking the file type. If you need to open any file, upload them on Google drive and view them there.
Be wary of ads - Ads and links are very common ways scammers reach unsuspecting victims. These ads are usually SEO optimised for better reach. They can also find their way into your emails or social media pages. Always be careful of clicking ad links online. Brave browser can help keep ads to a minimum.
Use multifactor authentication - Multiple factor authentication features such as the 2-factor authentication are handy tools used to gate-keep valuable information and make it difficult for scammers to access. Multifactor authentication features are useful protective mechanisms.
Revoke dApp approvals - Remember I said that the Sushiswap dApp had continuous access to my wallet? Well, this is not a good practice. However, having a whitelist of trusted dApps that have access to your wallet, especially dApps you use frequently, is convenient. Getting into this habit is risky because it can cause you to give unlimited access to a malicious protocol. Revoking wallet access to every dApp after using it is always a good practice. Blockchain explorers and revoke.cash are valuable tools for managing wallet/token approvals.
Ignore cold calls or messages - Scammers usually lurk on social media or community platforms such as Discord to find potential victims. They pretend to be part of a project team or impersonate team members and unsuspecting message victims personally offering to help them. Never indulge individuals who message you privately claiming to be part of the team behind a project. Real project teams will never message you privately and often warn their communities about this. And that also includes you as part of the team of any DeFi or NFT project frowning at DMs or unsolicited emails. Say everything in the group if necessary and avoid DMs as hackers always target collection founders and team members.
Do your research (DYOR) and only invest in things you understand - Finally, always do your research before committing your funds to any project. Knowing how to conduct your research is an invaluable skill in DeFi. Ensure you only invest in projects you understand well to decrease risk exposure.
These are some of the best security practices you can adopt in DeFi and the general crypto ecosystem.
Bad actors are part of every financial system, whether traditional or decentralised finance. DeFi becomes even more critical as transactions cannot be reversed or have them obfuscated to hide any trail. It's a perennial game of bad against good where hackers are constantly scheming to beat any security standard the DeFi industry has put in place. Hence, you can never be too careful. Don't trust, but verify. Read smart contracts. Monitor on-chain data if you can and never let anyone tell you you're being too paranoid. In a space like DeFi, where regulation is practically non-existent, the burden of security falls on users to adopt effective measures to protect their assets from financial predators. As DeFi and the general blockchain space evolve, so will the approaches and methods adopted by these malicious actors. No one is ever genuinely immune to scams. So keep your game up!