Exploring the Dark Side: Web3 Scams You Should Watch Out for (Part 1)

The third quarter of 2023 has been profitable for scammers as they managed to snatch $890 million worth of crypto.

To get that loot, some scammers prey on our inattention and lack of knowledge, while others capitalize on the human inclination for quick, substantial gains. Furthermore, certain bad actors exploit vulnerabilities within smart contracts or inject harmful code into contract logic.

Bet no one from the robbed crypto holders ever thought of becoming part of the unfortunate statistics, so we are here not to let you join their sad gang.

Working on Web3 Antivirus, we constantly investigate crypto scam trends and uncover emerging fraud techniques. Our blog is a gatekeep-free zone, so we're going to expose all those troublesome Web3 scams and provide insights to help you spot them. Plus, we've got some handy tips to help you dodge these dangers.

Close-up of common Web3 scams + how to rebuff them

There are so many crypto scams out there that it will be hard to cover them all in one article. This part will touch upon the most widespread types of scam tokens and phishing approaches.

Let’s inspect thoseWeb3 peace-breakers.

Scam tokens

Imagine how disappointing it would be to buy a token, only to later discover it's utterly worthless or its price was intentionally inflated. Yet it is quite a common scenario.

To spare yourself from such letdowns, take note of the scam tokens you may come across:

Honeypots

Honeypots may seem awesome assets to invest in, but these tokens are likely to stick with you forever as there are extremely low chances of getting rid of them. There are certain restrictions in honeypots’ contract code, imposing sky-high fees or even a total ban on token selling or transferring.

Some particularly bold scammers even have the nerve to charge high fees for purchasing such tokens.

Real-life case

Baby Musk coin was launched in 2022 and raised $2 million through its initial coin offering (ICO). However, the holders soon discovered that they couldn't sell their tokens. And if that wasn't bad enough, the project's founders soon vanished into thin air, leveling up this honeypot scam to a full-blown rug pull.

Red flags

🚩 The token’s price is too low against its high demand.

🚩 The purchase/sale/transfer fee is extremely high (50% and more).

Safety tips

✅ Investigate the token’s origin to make sure it comes from a reliable project.

✅ Examine the token’s history to assess its past liquidity and previous owners.

✅ Check the Web3 Antivirus risk report. The extension will not only identify if the token is a honeypot but also specify its variation: no transfer/sale or high transfer/sale/purchase fee.

Wash traded tokens

If a token's price and demand are artificially inflated, it is a case of wash trading. The main goal of fraudsters is to make you believe that this token is really worth the pumped-up price. Spoiler alert: nope, it's actually worth way less.

Real-life case

According to the Dune report, more than $30 billion of the NFT trading volume on Ethereum in 2022 is wash trading. The most affected platforms were LooksRare, X2Y2, Element, and Sudoswap.

Red flags

🚩 Sudden high trading volume of a relatively unknown or new cryptocurrency/NFT collection.

🚩 Systematic repetitive buying and selling of the same amount of an asset.

Safety tips

✅ Do thorough research before buying, particularly focusing on the token's trading history.

✅ Be skeptical of sudden spikes in the trading volume of a crypto without any clear reason.

✅ Enable W3A to receive warnings about detected wash trading.

✅ Discover if you already have wash traded tokens in your portfolio via W3A Dashboard.

NFT copycats

If you think of adding some cool NFTs to your crypto collection, watch out for copycats.

Fraudsters can create their own collections that look suspiciously similar to the top ones or completely copy them.

Real-life case

An example of a huge NFT copycat sale has recently taken place on the Magic Eden marketplace. A platform’s vulnerability allowed fraudsters to add fake tokens to popular NFT collections. As a result 13 copycats were purchased, bringing the scammers $14,800 in profit and leaving buyers with worthless assets.

Red flags

🚩 Apparent visual similarity with other collections.

🚩 A recent minting date for a supposedly older token.

🚩 Deviations from the rest of the NFTs in a collection that a token is claimed to be part of.

Safety tips

✅ Buy on reputable NFT marketplaces that have anti-copycat policies, such as OpenSea.

✅ Verify the token’s metadata: origin details, creation data, features and ensure that it corresponds with the claimed attributes of the NFT.

✅ Check the token’s history and past owners to exclude any suspicious activity.

Fake crypto

Fake crypto tokens are counterfeit and fraudulent digital assets that copy the names, logos, and other attributes from real cryptocurrencies to fool people looking to invest.

Scammers can get super crafty and use a DeFi project's features to their advantage. Take, for instance, how most crypto marketplaces allow you to find a token by its address — a golden opportunity that fraudsters were unlikely to miss.

They create a fake token and sneak the original token's address into its name, hoping you won't spot the trick. If you are not attentive enough, you will end up with a worthless token.

On top of that, once in a while, DeFi platforms slip up and miss the flow of fake tokens.

Real-life case

A South Korean crypto exchange Upbit was flooded by fake APT tokens because it didn’t thoroughly check the source code and accepted those fakes as original tokens. This allowed users to trade those fake APT, with the total value of the scam token being $3.4 billion.

Red flags

🚩 Inconsistencies in a token’s characteristics, such as logo, name, etc.

🚩 Contract address instead of the token name.

🚩 No or very limited trading history.

Safety tips

✅ Double-check the token’s attributes and trading activity.

✅ Buy tokens on reputable exchanges as they run token checks before listing them.

✅ Keep an eye on W3A risk alerts; the extension will instantly warn you if a token seems suspicious.

Phishing

Another widespread Web3 scam is phishing. This tactic thrives on your inattentiveness and manipulates you into revealing your crypto wallet credentials: password, private keys, and seed phrase.

Phishing scams come in all sorts of shapes and sizes, with the most frequent options being:

Fake websites

Scammers often create replicas of popular and trustworthy websites, hoping to trick unsuspecting users into compromising their wallets. You may be asked to give away wallet credentials or sign malicious messages that sneak in harmful logic, for example eth_sign or empty_payable.

Real-life case

In 2021, a scammer created a fake of the top NFT marketplace, OpenSea, and placed it at the very top of Google search results as a paid ad. That trick ended up swiping $450,000 worth of crypto and NFTs.

Red flags

🚩 Inconsistencies in domain names. For example, rarrible.com instead of rarible.com.

🚩 URL lacks a padlock icon and starts with http://, not https://.

🚩 Poor design: non-clickable buttons, empty pages, etc.

🚩 Suspicious and unexpected pop-up windows.

Safety tips

✅ Make sure you are on the right website by scrutinizing its domain name and overall look.

✅ Look for https:// and a padlock icon as indicators of the website’s strong encryption.

✅ Avoid clicking on any links or messages on suspicious websites.

✅ Have W3A on as it will show you a phishing warning before redirecting you to the suspicious site. And if, for some reason, you decide to ignore the initial warning, the extension will alert you about any malicious messages or transactions lurking on the website.

Fake airdrops

Airdrops can be a great way to add some new tokens to your portfolio while also supporting crypto projects. But there might be some unexpected twists.

Fraudsters create platforms pretending to be new promising DeFi projects with their own cryptocurrency. As if to spread the word about them and gain some early user base, they promise airdrops. They are completely free, you just need to submit some info or sign a transaction request so that those tokens can land in your wallet. Plot twist: if you do that, your tokens will magically transfer to a scammer’s wallet.

You might also stumble upon fake airdrop posts that pretend to be from well-known DeFi projects. If you take the bait and click those links, say goodbye to your tokens.

Real-life case

Aptos Network has been recently dragged in a fake airdrop scam. The fraudsters managed to hack the official Aptos account on Twitter and started promoting a fake APT token giveaway. And yes, you guessed it, the giveaway involved clicking on a "totally safe" link. They didn't mention how much money was lost, so let's hope not too many of Aptos' followers (393,000 at that time) fell for it.

Red flags

🚩 Requests for excessive personal information.

🚩 Lack of transparency: no project whitepaper, team information, etc.

🚩 Escalated urgency.

Safety tips

✅ Do thorough project research. Check its origin, reviews, community feedback, etc.

✅ Never disclose your wallet credentials. Never ever.

✅ Treat every airdrop with caution. If it sounds too good to be true, it most likely is.

✅ Take notice of W3A risk warnings when signing any requests as it sees all the details and logic behind the contract you will interact with, uncovering dangers hidden from the human eye.

Impersonation

Scammers also take advantage of our trust in influential figures and project representatives and fake their identities to lure us into their shady schemes.

For example, you may come across social media profiles of celebrities promoting giveaways or investment opportunities. You trust that person and know that they value their reputation, so you give no second thought to the credibility of their offering. This blind belief may cost you a lot of money.

More sophisticated scammers can even hack the official accounts of celebrities and post messages promoting fake tokens, giveaways, or investment opportunities.

But not only fake celebrities want to get hold of your assets. Scammers can also pretend to be customer support reps from crypto platforms, acting all helpful while secretly trying to snatch your funds or data.

Impersonators became even more troubling with the enhanced capabilities and availability of AI. They create deep fakes — realistic images, video, and audio to convince you that it is truly, say, Bill Gates, reaching out to you with a generous deal.

Real-life case

In 2020, the official Twitter accounts of Elon Musk, Jeff Bezos, Bill Gates, and other prominent figures were overtaken by fraudsters. In tweets, they encouraged people to send money to some shady addresses, promising to double it up in return. That's how $100,000 worth of assets ended up in scam wallets.

Red flags

🚩 Out-of-the-blue messages, giveaways, and offers.

🚩 Messages that don’t match the account owner's usual style.

🚩 Customer service emails that sound rushed and pressing.

🚩 Requests for personal, financial, or login information.

🚩 Suspicious links.

Safety tips

✅ If a celebrity posts links to external sites, double-check the URL and ensure it's legitimate.

✅ Don't rush — if a post seems out of character or too good to be true, wait for further updates from the celebrity or their team.

✅ Verify the credibility of the promoted giveaway or a project. If a celebrity is genuinely supporting a project, it's likely they mentioned it in interviews, other social platforms, or their official website.

✅ Pay attention to W3A risk alerts before conducting any transactions. You can also check transaction simulation to see the risk levels of all contracts involved in the transaction.

Enough scams for today. If only fraudsters thought the same…

… yet there are a whole bunch of other Web3 scams and risks lurking around, all just waiting to snatch your money. If we tried to cover them all in a single article, you'd be scrolling endlessly.

In this part, we touched upon the scams that heavily rely on your inattentiveness. Bottom line: don't drop your guard, okay? Take a good look at every asset, message, request, and link.

Your sharp eyes and knowledge are your superhero shield against falling for these sly tricks. And don't leave out your sidekick — Web3 Antivirus.

See you soon in Web3 Scams Chapter Two. Stay safe, and don't forget to double-check that your W3A extension is on!