Playing Safe On Web3

Beware of Phishing Attacks!

The most common way to get your NFTs stolen is for a scammer to send you a DM in Discord. They may use a name that is a variation of Admin, or Million on Mars. Maybe they stole our logo, it can look convincing. They will offer you free stuff. That is a TRAP! Do NOT click on links from people you do not trust. We will never send you stuff in a DM. Turn off your DMs unless you are an experienced Discord user and know what you are doing. Turn off the sign automatically on your crypto wallets - review every transaction. When it doubt - just do not click!

AIRDROPPED SCAM TOKENS

Both of these particular attacks happened via wallet software download, not related to any NFTs or tokens in the wallet, but airdropped scam tokens can still be dangerous. However, if a token is displaying inside your Phantom Wallet then it must be an SPL Token, and you can safely use the Burn instruction on it (I use the Sol Incinerator tool; there are other ways). We still urge caution, because the way these airdrop scams work is by getting you to click links in the NFT description or by going to their website, so interacting with it can still be dangerous. Whenever you use a burn tool like Sol Incinerator or others, even one you trust, always double check what the wallet popup is displaying to you before you click approve.

One way to be sure is to click into "SOL" on your Phantom wallet and select "view on solscan" at the top right. Go to "Token Accounts" and locate the scam token. Note the "Account" address in the left most column. Now, if you select the NFT in a burn tool and tell it to burn, don't instantly approve the transaction. First click "see advanced details" about the transaction; here you should see "burn" and "close account" instructions, and the target address should be the "Account" address you noted from Solscan. Be sure to not Burn a token of value that you actually care about. If you see anything else suspicious, it's okay to cancel the transaction and ask someone for guidance. It is also OK to just permanently ignore these scam tokens and just never touch them.

FAKE WALLET APP SCAMS

The attack that got these two users however (confirmed for one, still investigating the second) is regarding fake wallets posted onto App Stores/search engines. One such fake wallet was posted to the Microsoft App Store and another was littered all over the search results for Phantom in DuckDuckGo. These wallets appear as real Phantom wallets, fully functional in every way, except they will send your seeds and keys to the attacker when you enter them. The attacker may not attack right away, as they tend to wait for you to feel comfortable and then after you transfer valuable assets or a lot of funds in they will strike.

To combat fake wallet scams, you should only ever download Blockchain software (such as wallets) from trusted websites, or where a trusted website directs you to. The official Phantom Wallet website is https://phantom.app/. You can follow the links from there to the various Browser Extension stores and mobile app stores. If you search for "Phantom" yourself and perform a download, it is possible you'll end up with a scam wallet.

If you go to phantom.app now and follow their official link to your App Store of choice, you should see something like "Remove from Chrome", "Uninstall app", "Update app", or similar, which would indicate that you have the correct wallet installed. If you have a Phantom app installed from that store currently but you see "Install", "Add to chrome", "Get this app", or something similar to that where it implies you don't have the app yet, it is possible that the Phantom you currently have installed is a scam, and your wallet is insecure. If you are in that situation, here are the steps you should take immediately:

1. Open another browser or Chrome Profile so you can have a different set of extensions

2. Download the real Phantom wallet there

3. Make a NEW wallet with a NEW seed/secret phrase (as always, write it down or securely encrypt it)

4. Transfer all of your assets and crypto from the insecure wallet to the new wallet address

Blockchain and Web3 technologies may be a way of the future, but that does not mean they are not without problems still. Technology is always improving and still has a long way to go. It is on all of us to make sure we're paying attention to and reading what we're clicking, to not go to dangerous/suspicious websites, and to all around be mindful when dealing with assets of value (be it blockchain wallets or even mainstream bank account passwords). We want everyone in our community to be safe and to be able to enjoy our game. Stay safe, Martians!