Cardano Scams: how to avoid bad actors
Cardano Scams: how to avoid bad actors
Defending yourself or knowing how to indicate defense methods to a friend is important, learn in this article how to avoid it.
I think we're at a point where everyone knows someone who's been a victim of a scam, we wrote this content so you can share and better understand how to avoid getting ripped off
If you pay attention to the details and have confidence in what you do, the chance that you avoiding a scam is pretty high
First, you need to understand that SCAMs are not rug pulls, nor are projects that failed. In SCAMs you just don't get anything in return, you get ripped off, or when you do get it, it's a fake NFT in exchange for your original.
There are 3 important points to understand about Cardano NFTs
NFTs and FTs at Cardano, as we know, need Shelly Era wallets, these wallets usually start with addr1 and are 100% token compatible, unlike wallets, you find on most exchanges or prior to Shelly Era. There are wallets with dApp connections and wallets without these connections, it doesn't mean that one wallet is better than the other, but that we can use them for different security purposes. All wallets when created will give you a set of words, these words are basically a “recovery”, whenever you want to import your wallet, just type the words in order. If that data is on your computer or if someone has access to it in some way, your wallet can easily be drained, so the basic advice as always is that you NEVER share this with anyone, with any team, on any platform. Nobody needs it but you or the person who wants to rob you, just write it down on a piece of paper and never share it with anyone
Different from other chains, on Cardano when an NFT is created it needs to be linked to a policy ID, a generated key that groups a collection of NFTs or unique NFTs, usually the policies are locked after a selected period, and the NFTs within it lose the ability to have their metadata updated, making these NFTs immutable, in addition to not allowing new NFTs to be minted in this policy. Policy IDs are the means of verifying the originality of a project's collection and grouping a collection of multiple NFTs
To access certain dApps and markets, you will need to connect your wallet, there are different types of connection requirements and the most common is enable. Enable is the basic connection that allows a wallet to connect to a website, and do actions within that website, which is what we know as dApps, other connections like signData are requested to be able to get information from your wallet, and signTx to request transactions, these types of subscriptions are different and each of them has a purpose, usually, they will all ask for your password.
All the security related to not falling into SCAMs are essentially linked with these 3 pieces of information, if you really understand them you will be able to easily adapt to make your purchases safer.
The first information, as we talked about in topic 1, simply under no circumstances regardless of the person's degree of trust, share your wallet recovery keyword set. It is like the combination of a safe that is exposed to anyone, nothing will prevent access to your safe if someone has these keys
Secondly, let's talk about the most common robberies that end up catching even people who "trust" a lot in their own knowledge, one of them is escrow
Escrow
Escrow is basically an exchange that involves the two trading parties and a third party, this third party being the trusted person who receives the items from part 1, and from part 2, and later delivers them to part 2, and part 1, performing a switch, usually to escrow, the middleman ask for a fee that varies with the value of the assets
The most common scams involve someone wanting to make an exchange by requesting that the escrow be done by a trusted member and that trusted member is eventually a fake account that replicates the original account, by relying on this the exchange is carried out and you are robbed, this type of action often occurs on discord
It is important to understand the difference between official profiles and profiles that are copies, it is very simple to do this and you can easily identify using discord NICK#ID, For example; ‘ The Cultist#1393 being the Cute Dumb Orcs Admin profile on discord, it means that any The Cultist#random number is a fake account, in social networks, you only need to associate and always verify that the username corresponds to the original project account.
Also, during the exchange, NFTs can be inserted that are from a random policy ID and outside the official project collection, in which case you need to confirm that, in addition to the person actually owning the NFT, the policy ID is the correct one. The quickest way is to open the jpg.store and look for the verified collection, a false copy the policy ID and check if it matches the NFT they are trying to trade.
In any case, escrow is an archaic way of trading and completely insecure, trusting a third party to make transactions is always a bad idea, no matter how trustworthy you believe the person to be, so we recommend that you use Trading Tent
In Trading Tent you can set up your tent and invite someone to make an exchange, and in this exchange both are able to verify the veracity of the NFTs, which NFTs are selected, insert ADA as a difference, and, create a mutually agreed exchange, having the platform itself as a middle man for a flat fee of 5 ADA, all this only using the power of eUTXO from Cardano
We always use TradingTent to trade and it is a completely secure platform, ALWAYS check that you are in the correct domain for the platform ( https://app.tradingtent.io/ ) or that the links sent to you are also on the same domain, there are SCAMs that somehow try to send you a broken link from a tent and say the platform is down, forcing you to go to common escrow losing your assets.
In addition, within the platform itself you will find verified and unverified projects, making the verification of the originality of the NFTs of your exchange easier, this verification is done through the jpg.store API, if the project is verified in the market, it will also be verified on Trading Tent.
If you can't escrow something at the moment through the trading tent, we recommend that you don't trade anything until it normalizes. Trading Tent is the safest possible tool at the moment to carry out P2P exchanges without you being harmed in any way, regardless of the amount of the fee. I bet losing your Kongs and Clays can cost a lot more, right? Check the correct website, create your own tent and invite the person back, if they can't access it, be suspicious.
Tools like Trading Tent, jpg.store and others use services that build the front-end as an application and use CDN. The Content Delivery Network is a very simple way to ensure that, regardless of where you are in the world, the next one will distribute the site files to you keeping it in the best possible quality for your region, it is very difficult for the site to load for one person and not another, so be aware of “the site is down for me”, it is pretty hard.
dApp Connection
Connections using your wallet is a type of SCAM known in other blockchains, such as Ethereum (aha) through scripts and smart contracts that drain the wallets, there are many repositories on GitHub and other platforms explaining how such a scam can be done using the wallet metamask as an example, so, connecting your wallet into any website can lead you to lose all your assets there.
At Cardano, our initial metamask reference was Nami Wallet, an initial project made by Alessandro Berry as a prototype to advance the ecosystem and his own project through dApp connection, it was not initially made to be a commercial wallet and we recommend that you use which to consider best. After that, other wallets such as Eternl (formerly CC Wallet), Yoroi, Flint, Gero, Typhon, NuFi etc started to emerge and created a competitive market where projects like Nami Wallet lagged behind due to their nature. Through these wallets we have the option to make connections to Cardano and interact with DEX, CEX, Play-2-Earn, NFT Markets, DAOs Dashboards, Minting Platforms, normal games and browser metaverses, all through connectivity, this connectivity is ideal for interacting with the blockchain.
However, the connection can always be dangerous depending on where you access it and how, this means that giving access to any website can mean goodbye to all your assets, so it is important to always use the cold wallet and hot wallet mechanism.
If you keep everything you own in a single wallet, and that wallet is eventually the one you use to connect with dApps, you NGMI avoiding scams. If you want to flex your NFTs, just send your ADA handle to your cold wallet and have fun.
Cold Wallet and Hot Wallet
Think of your hot wallet as a wallet that makes direct connections and transactions with other people and your cold wallet as a wallet that doesn't make and only receives/sends to yourself, we indicate that the hot wallet is your preferred wallet in the browser and that your cold wallet is a ledger, if you don't know what one is, searched on youtube, or if you don't have access to a ledger depending on where you live, have a full-node wallet like Daedalus specifically to store your assets and that you only use it as a “deposit” where you can store your most valuable content, and it goes without saying that the access keywords for this wallet must be written on paper and kept in a safe place.
Remembering that Daedalus is a full-node wallet, creating a new blockchain node on your computer, needs a large amount of storage space and possibly more than 16GB of ram on your machine, still, it is possibly the wallet faster to send and receive transactions on the blockchain, this happens because you have your own mempool to interact directly with the network, unlike browser wallets, which use a group of nodes for all users, think of it as the exit of a highway. Full-node means the road is all yours, and you can leave whenever you want; In browser wallets, which are not full-node, there is a queue between all users who have sent transactions and eventually you will get off the road. As it does not have a dApp connection, Daedalus is a medium option to be used as a cold wallet, because it synchronizes a full node, it is necessary to frequently update your wallet and avoid long synchronization times (it is easier to have a ledger).
Through this system, your hot wallet will contain only what you consider necessary for certain activities: a specific transaction or purchase, using an NFT on a dApp, collecting rewards, etc. This logistics may seem a little "boring" but it is necessary for your own safety, we don't need to repeat that we don't want you to be just another Dumb Orc, right?
With this system, you guarantee that you will not suffer any type of SCAM using dApp connections and eventually, with the previous tip, you will avoid falling into situations where the escrow was designed to steal from you as much as possible.
As a wave of free-minting has been happening recently at Cardano, it is important to remember that this type of theft happens by creating a community large enough to generate a lot of income through a robbery, and offering free-minting of NFTs with SignTX through the wallet, the chance of you being ripped off if you don't use a hot wallet is high.
Remembering that SCAM is simply the act of you losing without receiving, or being robbed through a dishonest scheme, it is always possible to avoid a SCAM.
Fake Mintings
It is common to find fake mintings in the community. Profiles that copy projects, sites with similar domains, publication of wallet addresses in common chats on discord, DM invitations on discord, and Twitter.
Just don't be dumb enough to fall for this out of fear or anxiety, go to the project page, or Twitter, and check if the minting is actually happening through their official domain or a well-known minter in the community like Anvil, Peppermint, SGS, etc.
Fake Promoters/Giveaways
Even if you are not directly robbed, feeding fake accounts or with malicious intent is a way of collaborating and falling for future scams. There are pages and influencers that are nothing more than accounts full of BOTs created to make quick money through shilling.
At Cardano we have a recent example that is Promo CNFTs, it is a fake account that uses NFTs that it does not own to make giveaways, possibly it is an account made to generate engagement and numbers in our community. This is known as a follower farm and they are made for various purposes: selling the account in the future, offering shilling services, deleting everything, and changing the name to become a project. Whenever you go through this type of account use your voting power and report the account on Twitter
Giveaways are a very good mechanism to give back to the community and give a chance to people who are unable to enter our market for financial reasons, some healthy giveaways will include:
Answer in previous giveaways with tweetpicker
Winners sharing NFT receipt
A project reply on tweetpicker with a transaction link
Huge thanks to Clark Kent for reaching us out on DM about this
Control Your Emotions
Not least, and often mentioned, simply avoid making decisions based on FOMO, or being in a hurry. It's rare that projects that mint or that allow members to send wallet addresses in conversation channels, just trust official announcements and always check that these announcements are in line with the communication of the project you follow, don't take actions based on your emotions and follow closely projects you want to mint
Do not click on links that you do not know, essentially from domains that do not correspond to the final location, search for links through the official channels of each project, and do not fall for promises of free content. Right now on web3, you don’t have to download anything to get rekt, get it slow with your fast fingers.
Avoid projects that have large numbers of red flags as much as possible, unlike a SCAM, you could end up being a victim of a Rug Pull or simply invest your money and deposit liquidity power in teams that simply won't make the best use of that money, so little help to value the assets they sell.
And no, you didn't win 16BTC or 15ETH or any kind of stupid giveaway from someone who doesn't know you on discord, just block and forget, and also avoid getting into too many projects that you won't participate in and receive DMs from, it's not the project's fault, but it means it is targeted for this activity. You can check which discord usually you receive these types of DMs, the person who sent you will have a server in common with you, if you want to avoid receiving future messages and if you are not an active member of the server, you can leave it. There is also the option to block your DMs from people who are not friends on the platform.
Activate two-factor authentication whenever possible, do it in your email, on your exchange, on your discord, and anywhere else that gives you the possibility, don't trust that your password can't or won't end up being cracked or keylogger by someone, she goes. Be prepared so that in case this happens, you have extra security on your accounts.
ALWAYS and NEVER FORGET to report anything suspicious you see, your word can help the whole savings of someone, ALWAYS SHARE KNOWLEDGE.
If you found this article useful, I invite you to share it and help more people understand how to defend against attacks on our blockchain.
And if you don’t know Cute Dumb Orcs, I recommend you to search about it.