This is a good news, bad news piece. But if you’re reading this, it’s only good news because you learn something new!
TPan Listens to a Podcast Featuring Himself
I’m featured on a podcast with my buddies Jay and Kyle from Web3 Academy.
You can check it out now on Spotify or Youtube!
We go over:
My background and how I ended up in this crazy space
Content as a public good
Why I write about web3 growth and how I approach it
The ‘X to mint’ model and formula
Whenever I get featured on a podcast or something similar, I check out the content and skim through it. However, with this episode I actually listened to the whole thing. It was nice because it felt like I was relearning what I’ve been writing but in an audio-visual format.
I swear…I’m not a narcissist. Jay helped me to rationalize what was going on:
So go give it a listen and check out Web3 Academy, they have great content!
TPan Gets Scammed 😱
It finally happened folks. I got scammed last week. I’ve been rugged before with NFT projects, but I’ve been fortunate that my wallet hasn’t been drained…until now.
So what happened and how?
Last week when I was writing about the MetaMask SDK launching on the Unity Asset Store, I referenced and dug into the original Twitter thread.
Nothing suspicious here. This is the official MetaMask Twitter account tweeting a big announcement for game developers.
In the thread, MM shared their new program, Sidequest to help game devs with onboarding, education, and grants. Good stuff!
So far, so good. Unfortunately, when I write, I toggle through different tabs and screens as I research and write out my piece for the day. As a result, I scrolled past the end of the thread to read through the replies.
Scammers take advantage of replies by replying with scam links like below:
If you look closely, there are a few obvious giveaways that this is a scam.
Unfortunately, because I was in research mode, I clicked on the link and went to the landing page for the fake Sidequest program despite the 🚩. The link’s thumbnail photo and copy were the same.
Let’s compare the two pages, starting with above the fold:
The pages are practically identical.
Below the fold?
This is where the differences become more obvious. The real registration page has a standard registration form embed on the right-hand side while the scam page has a claim link to receive a Sidequest NFT.
Geez, TPan is an idiot. I can’t believe I read his stuff, I really should unsubscribe.
I know, right?! So many red flags.
So why did I click on the claim/mint link?
Though I haven’t written about it yet, I’ve been discovering other interesting minting mechanics related to the application meta I’ve covered in the past. There are some projects that now mint a SBT (soulbound token) that functions as proof of application. Fun concept, but this is where TPan discovering all these new mechanics backfires.
I subconsciously thought (along with being in research mode) that there was a mint interaction that functioned similarly, so I connected my wallet and approved a transaction to what I thought was MetaMask.
Once the transaction completed, the ETH in my wallet immediately dissapeared and I received a notification from my Revoke.cash browser extension pop up notifying me that the site wanted to transfer more assets to this address.
My heart sank as I realized what actually happened. Fortunately, the amount scammed was not a life-changing sum and nothing else was taken from the wallet. Additionally, this was my hot wallet where I regularly conduct transactions (vs. a cold wallet where more valuable assets are stored).
After the shock faded, I dug into this in true TPan fashion. When life give you scammy lemons, make lemonade, right? 😂
What was interesting about the scam
How similar website was to the original
There were several obvious red flags, but as mentioned before, the website was nearly identical in other aspects. Thumbnail, copy, website layout, etc.
No matter how careful you are, a brief lapse of judgement like mine can lead to this mistake.
How quickly the site was set up
When I viewed the timestamps, the scam site was up and in the MetaMask announcement’s Twitter replies in less than 90 minutes.
That is some quick work and makes me believe that these scammers have a highly optimized process to take advantage of unsuspecting folks while targeting popular announcements from reputable accounts.
The scammers iterated
I have to give it to these scammers. In true growth fashion, they iterated on the scam.
At some point after I was scammed, they changed the domain URL to be one that included ‘sidequest’, removing the URL flag I called out earlier.
Why can’t these smart folks use those talents for something more productive for the ecosystem 😭
The smart contract
The scammer contract was created two weeks ago and was likely used for a less successful scam before hitting the jackpot with MetaMask. The most recent victim of this was around 4 days ago.
Fortunately, BlockSec, a blockchain security company partnered with Etherscan flagged the contract.
What’s being done to combat scams today?
The beauty of crypto is that there is the concept of self-custody — you actually own what you have.
With great self-custody comes great responsibility and the potential consequences like what happened to me last week. I have no one to blame but myself.
Security is getting better. The space isn’t sitting around twiddling its thumbs and singing ‘Kum Bah Ya, not your keys, not your crypto…’
Brand verification
Brands are now getting a differentiated level of verification. On Twitter, these brands are getting golden checks. I hope MetaMask gets their golden check soon.
Disclosing the end of a thread
Taking matters into their own hands, some call out the end of their thread. Yuga Labs and its associated brands have implemented this recently.
Yuga has also implemented a creative approach with their news site. New visitors are asked to created a secret phrase and image, so when users return to the site, they know it’s the real site opposed to a scam site.
Tools
There are plenty of tools to help to reduce the chance of scams like what I encountered.
Some popular and reputable ones are Revoke.cash, Fire, and Pocket Universe. These browser extensions help to intercept and translate what approving transactions do.
Classes
Boring Security is a free resource that I’ve written about before, and they’re still conducting wallet security classes. They even support group sessions for communities and companies.
Security will remain as one of the largest speed bumps for adoption as the space starts to go mainstream. How do we educate newcomers, how do we call out bad actors, and how do we create products and processes that protect the ecosystem while embracing the concepts of self-custody and true ownership?
It might hurt sometimes, like it did for me last week. But it’ll heal 🙂
See you next week!
Sorry for the scam Tpan! Damn 🫠
Great read though, so thanks for sharing and of course, thanks for joining the podcast!
Welcome to the scammed club.
Thx for sharing this deep dive.