Crypto security is one of the hottest topics for investors and companies actively working on creating better security solutions for the Web3 industry. Web3 Antivirus was created in an effort to make wallet security more accessible to all users in the space. The company offers a browser extension that helps users monitor wallet interactions and spot potential scams and malicious activity before investors fall victim to them.
Below are the most common crypto scams and malicious tactics, and how to protect against them below as found through the experience of developing Web3 Antivirus.
Malicious transactions
Hacker tactics: While on a malicious site, the user can sign a transaction that grants access to all of their assets instead of making an NFT purchase transaction. The scammer would then be able to empty the user’s wallet, stealing assets for which access permission has been granted.
User counter tactic: Users should keep a close eye on the transactions they make and the sites they interact with. They should clearly understand what the outcome of the transaction would be. Tools like Web3 Antivirus can simulate a transaction in a secure environment and clearly show what will happen if the user proceeds with it.
Malicious messages
Hacker tactics: For example, a phishing site asks the user to sign a message (it can be disguised as a wallet connect) to list NFTs owned by the user for sale on OpenSea. Since this is not a transaction but just a message, the user can easily overlook what it says, sign the message, and lose their tokens as a result.
If the user has previously traded on OpenSea, the scammer only needs to get the user to sign a message to put their NFTs up for sale for almost zero value. If the user has not traded on OpenSea before or access to their NFTs is not approved for the OpenSea contract, the scheme becomes more difficult to pull off. In that case, the scammer must first have the user grant access to their NFTs and then sign a message to put their NFTs up for sale.
This scheme exploits the mechanism that marketplaces usually operate on. When a user wants to put an NFT up for sale, the marketplace requests access to the entire collection at once. This is done so that the user can save gas (the transaction fee).
User counter tactic: In order to protect themselves from such schemes, users need to check twice what they are going to sign. Security tools like Web3 Antivirus can show detailed information about permission requests and specific assets users are granting access to. What’s more, users will get clear messages explaining what they will receive and what they will give away as a result of the transaction.
Malicious messages - eth_sign
Hacker tactic: This is a dangerous scheme that is easy to fall for, and one we described previously. The user is asked to simply sign the message, but since it is not a transaction and there is no gas fee, many users go for it without a second thought. After that, it is highly likely that their assets will quickly disappear from their wallet.
User counter tactic: Users should watch carefully for warnings from their wallets (e.g., MetaMask notifies the user when they are asked to sign an “eth_sign” message) or use security tools like Web3 Antivirus.
Honeypot NFTs
Hacker tactic: This is a dangerous and difficult-to-detect scheme. The user purchases an NFT in hope of selling it later for a profit, but the smart contract prevents the NFT from being transferred or sold thereafter. The user is stuck with an NFT that has no value and a financial loss.
User counter tactic: It’s worth using trusted marketplaces and carefully examining NFTs before buying them. Users should pay attention to data such as the date of collection/contract creation, the number of transactions, the number of owners of the asset and the marketplaces where the token is listed.
Fake tokens
Hacker tactic: A common scheme that is fairly easy to avoid with research. Fraudsters create an NFT with the same name as a token from a popular collection and sell the fake token as the original.
User counter tactic: Do your own research. We recommend using verified marketplaces and carefully studying NFTs before purchasing them. Focus on data such as the date of collection/contract creation, the number of transactions, the number of owners of the asset, and the marketplaces where the token is listed.
Fake sites
Hacker tactic: One of the most common schemes. Scammers pass off their website as an official one, copying its interface and/or URL with minor changes.
User counter tactic: To protect themselves, users can use security tools like Web3 Antivirus, which checks the domain names against its database and warns if users are heading to a suspicious site. In addition, certain wallets (like MetaMask) detect some of these suspicious sites and block them.
Malicious smart contracts
Hacker tactic: Contract code can be written with any logic, including having malicious functions and methods. The range of options is quite large, which makes detecting them a challenge.
User counter tactic: In order to detect the trouble, one needs to expertly study the contract code, which requires certain skills. For an average user, it’s recommended to do your own research, check the contract verification on EtherScan as well as the number of transactions and the date of creation. A quicker and more comprehensive approach would be to use security tools such as Web3 Antivirus that audit the contract code for malicious features and logic and warn the user about them.
Poisoning attacks
Hacker tactic: Hackers create fake wallet addresses that have the same first and last characters as a wallet that the target is often trading with. The goal is to scam a user into willingly sending over funds, thinking they are sending assets to a known wallet address. This scheme has rather simple mechanics. Variations of this tactic also include an imitation of a zero-sum transaction originating from the victim’s wallet address. You can find more about it here.
User counter tactic: Before sending your assets to any address, be thorough and verify the whole contract address — not just the first and last characters.
Keeping crypto assets safe with Web3 Antivirus
While hackers continue pushing out new and innovative tactics to get their hands on crypto investors’ funds, the Web3 space is also actively working on countermeasures. At Web3 Antivirus, a team of dedicated blockchain experts and developers are constantly working out ways to prevent the schemes mentioned above.
Being a user-friendly browser plugin, Web3 Antivirus offers a variety of analytical tools and reports that can help investors monitor the Web3 platforms they interact with. From transaction simulations to smart contract analysis, the extension offers an added layer of security for the crypto space. Keep the hacker tactics outlined here in mind, and stay safe in crypto.
Disclaimer. Cointelegraph does not endorse any content or product on this page. While we aim at providing you with all important information that we could obtain, readers should do their own research before taking any actions related to the company and carry full responsibility for their decisions, nor can this article be considered as investment advice.