NFT Scams Used To Wipe Wallets: In-Depth Review and Safety Measures

NFT Drops Calendar
8 min readApr 27, 2022


NFTs are becoming the focal point in the shift to web3. With millions of people joining the ecosystem, many expect lots of change in terms of how goods and services are exchanged, how people interact with freedom, how entrepreneurs start ventures in the metaverse, and much more.

However, NFTs are also a hotbed for scammers and criminals. Ever since NFTs became popular, millions of dollars have been lost through fraud schemes where “founders” launched projects only to disappear after collecting funds from investors or scammers tricking collectors and stealing their valuables.

To help you stay in the space, we cover popular fraudulent schemes in web3:

8 NFT Scams and How to Protect Yourself

1. Rug Pulls

Rug Pulls are one of the most common types of scams in web3. This type of scam was common back when cryptocurrency tokens ruled the space and as soon as NFTs became the next big thing, rug pullers joined in on the fun.

One example of rug pullers who didn’t get away are two 20 years from Los Angeles, Ethan Vinh Nguyen, and Andre Marcus Quiddaoen Llacuna, who launched an NFT project called Frosties. They promised investors giveaways and early access to a game, only to abandon the project shortly after mint and transfer the proceeds to a series of wallets owned by them.

Typically, projects that rug pull usually promise holder benefits such as access to an exclusive community, a video game, an art project, and much more. They often carry out aggressive marketing to build hype, and after investors buy into the project, disappear with the funds. This often takes place within a short time, but others abandon the project over time with little to no updates on the roadmap progress.

How to Protect Yourself

● Do a background check on the team behind the project.
● Check their social media channels to see if they have an active community.
● Evaluate the roadmap to gauge whether it’s worthwhile to invest or if they are overpromising.

2. Phishing

Phishing is a technique that has been around ever since the early days of web2. Now with NFTs gaining traction, phishing is a common scam in the space.

The goal of a phishing attack is to social engineer the victim to reveal sensitive details such as passwords, bank account details, and, in the case of Metamask, the secret recovery phrase or private key.

A recent example of a successful phishing attack involves an NFT collector going by the name Toddtoddkramer.eth on Twitter, who lost about 16 NFTs, with most of them being from valuable collections like the Bored Ape Yacht Club and Mutant Ape Yacht Club. The hacker managed to offload some NFTs onto the market, but some were frozen by OpenSea before the hacker could sell them. Since then, Todd has managed to regain some of his NFTs with help from OpenSea and the NFT community. It appears he clicked on a phishing smart contract unknowingly, authorizing the hacker to take control of his NFTs.

A more recent phishing attack involves a Twitter user who lost about $650,000 worth of crypto from his Metamask wallet. He received several messages with requests to reset his Apple ID password and, shortly after, received a call from “Apple Inc.” which was a spoofed caller ID to make it look like the call was from Apple.

The scammer on the phone convinced him that they had noticed suspicious activity on his account and requested a one-time 6-digit verification code sent to his phone to verify he was indeed the actual owner. Shortly after, the call hung up and his Metamask wallet was wiped clean.

Here’s a summary of the attack:

● The scammer tried to log in to the victim’s account by requesting numerous password resets to create the impression of suspicious activity.
● Using a spoofed caller ID, the scammer calls the victim pretending he’s from Apple.
● The scammer then logs in to the victim’s account on another device, and now he only needs the verification code to verify the Apple ID and gain access to the account.
● While the victim is still on the call, the verification code is sent to his phone and the scammer requests it by pretending he’s using it to verify if the victim is the owner of the account, whereas he’s using it to log in to his account from another device.
● Once in, the scammer downloads the victim’s backups saved on iCloud, which also contains Metamask details, including the seed phrase.
● The scammer then uses the Metamask details to log in and transfer any assets from the victim’s account.

How to Protect Yourself

● Do not publish your emails and phone numbers on the public web, as they can be used to target you.
● Do not disclose your valuable assets such as NFTs, as they will make you a target.
● Set strong and unique passwords and use two-factor authentication.
● Do not share verification codes sent to your phone with anyone.
● Do not click on random links sent to your email or DMs.
● Avoid disclosing sensitive details over the phone. If there’s an issue, contact the organization through their official channels to be safe.
● Disable Metamask seed phrase upload by going to Settings-Profile-iCloud-Manage Storage-Backups-choose device-show all apps-Metamask on or off.
● Delete previous backups to remove the Metamask seed phrase from iCloud.
● Note: While the victim was at fault for giving out the verification code, Metamask did not inform users that iCloud may back up their metamask seed phrases.

3. Swap Scams

Traders who swap their NFTs risk falling for NFT swap scams. Just recently, on April 5th, an individual using Swapkiwi, a swapping site similar to NFTtrader or SudoSwap, fell for a swapping scam and in the process lost his bubble gum ape and matching mutants, valued at just over $500,000 at the time.

The way Swapkiwi works is when initiating a trade, the site shows a verified green checkmark on the NFT image to indicate that the NFT being swapped is indeed original and not counterfeit.

The scammer used this feature to his advantage by manually adding the green checkmark to his fake NFTs and managed to trick the victim to swap his original NFTs for fake ones.

With no option for traders to verify the contract addresses by themselves, there was no way the victim could detect if he was falling for a scam.

How to Protect Yourself

● Swap your NFTs on reputable sites like NFTtrader and SudoSwap.
● Manually verify the contact address of the NFT you’re about to trade for.

4. Fake Marketplaces

If you’re into trading NFTs, you’ll have to use an NFT marketplace. The problem is there are many fake NFT marketplaces out there listing fake NFTs and tricking users into revealing sensitive details such as private keys and seed phrases. Such sites may also trick you into approving transfers of your NFTs to other wallets.

How to Protect Yourself

● Don’t click on random marketplace links on the web.
● Double-check the URL to make sure you’re visiting the correct site, as some scammers use URLs with similar domains.
● Do not connect your wallet to a site you’re not sure of.
● Use popular marketplaces like OpenSea, LooksRare, Rarible, Nifty Gateway, SuperRare, etc.

5. Malicious Airdrops

While not all airdrops are bad, some are usually created for malicious purposes. Always tread carefully if the deal seems too good to be true. A scenario where you could fall into an airdrop scam is when you are directed to a site to claim your airdrop and when you attempt to do the claiming, your wallet is wiped clean.

What happens in such cases, is the scammer convinces you to connect your wallet to their site to claim, money, but on the backend, they run a code to scan your wallet address for valuable NFTs. Once they find the NFT collection they are looking for, they call the “safe Transfer From” function (for erc721 contracts) from the smart contract and transfer the NFT from your wallet once you approve the transaction.

As a user, you may think you’re approving transactions to claim the airdrop, but in reality, you’re actually approving the scammer to take control of your NFTs and transfer them out of your wallet.

How to Protect Yourself

● Don’t claim airdrops on mysterious projects with no team or information about the project.

● Don’t use wallet addresses storing valuable NFTs to claim airdrops, If they require the use of specific wallets, stay away unless they are reputable.

● Don’t connect your wallet to websites you don’t trust.

● Don’t approve wallet transactions on random websites.

● Learn more about smart contract functions to know what’s going on in the backend.

6. Fake Support Staff

This is a cheap scam that aims to prey on the gullible and less informed. Scammers running this will contact random social media users, especially those having problems with a platform’s service, be it Metamask or OpenSea.

They will then pretend to be part of the support staff and direct users to screenshots of their wallets and send the photos with the pretense of fixing the user’s issue. However, in the real sense, they aim to extract sensitive details like seed phrases, private keys, QR codes, or passwords.

Users may also be directed to malicious websites that look like the original. Once they connect their wallets, they may end up losing their assets.

How to Protect Yourself

● Make sure you’re communicating with the official social links, either verified or referenced from their official website.
● Don’t send screenshots of sensitive details to anyone.

7. Plagiarized Art

Plagiarism is a rampant issue in the NFT space and is a problem that is difficult to mitigate due to the anonymity and thousands of assets involved. One tactic in this type of scam is people stealing art from unsuspecting artists and listing them on NFT marketplaces without consent.

Another tactic involves scammers copying a whole NFT collection and listing them on less popular marketplaces or different chains. An example is downloading copies of Bored Ape Yacht NFTs stored on the Ethereum blockchain and storing them on Cardano or Solana.

How to Protect Yourself

● Make sure to locate an NFT’s official links, either on Discord or Twitter.
● If you’re not sure about a project’s credibility, ask the NFT community on Twitter.
● Search popular marketplaces or Google the project to check if the project is a plagiarized version.

8. Discord and Instagram Hacks

These forms of phishing attacks have been quite costly, with the recent victim being the popular Bored Ape Yacht Club.

Coinciding with the anniversary of Bored Ape Yacht Club, the hacker pounced on the chance to infiltrate the company’s Instagram account. The scammer then posted a fake airdrop link leading to a fake website resembling the original Bored Ape website.

Once users connected their wallets, they were prompted to approve a “safe Transfer From” transaction giving the scammer approval to transfer their NFTs to wallets under his/her control. The hacker stole 133 NFTs estimated at $2.4 million.

Similar hacks have happened on Discord, with hackers infiltrating Discord groups of popular projects and posting links to fake mints and airdrops.

How to protect Yourself

● Verify with multiple official project accounts in the event an airdrop or mint is announced.
● Double-check the URL to make sure you’re visiting the official website and not a copycat.


While web3 has a lot to offer in terms of longevity and innovation, it’s largely still unregulated and difficult to prosecute offenders due to the significant amount of anonymity it offers. Your best bet to stay safe in the space is making informed decisions and not falling for hype without substance.



NFT Drops Calendar is a site that welcomes all, founders, creators, collectors, and NFT fans, alike. We bring the NFT community together.