Image alt

NFT Security 101: Keeping your Shiny Objects Safe

by mecaverse.eth | Shiny


In my second month of NFT trading, my wallet was compromised. I received a DM from a scammer impersonating a Collab.land bot, and I fell for it. My ego was bruised – “How can I be so stupid!” – but thankfully, because I was using a “burner wallet” (one of many tips we’ll discuss in this guide), I only lost 0.3 ETH… and some self-confidence. 


Ask any seasoned NFT collector, and they’ll have similar experiences to share. The world of NFTs, crypto and decentralized ownership is fantastic and full of promise (hopefully you think so too, or you probably wouldn’t be reading this), but the decentralized nature of NFTs also brings a heightened level of personal accountability. Make a mistake or fall victim to a scam and you’re on your own: there’s no “undo” button, no customer support to call for a refund.


But fear not! While it can seem scary – especially if you’re a newcomer – this guide is here to help you.


In the first part, we’ll look at the best defensive tactics for managing your seed phrase and wallets securely, so you can keep your NFTs safe in this wild west that is web3. 


In part two, we’ll get to know our enemy, by taking a look at the most common NFT scams and attacks, and how to avoid them. 


By the end, we hope you’ll be in much better shape to stay safe on your NFT journey.


Part 1. Playing defense: Managing your seed phrase and wallets securely



Your seed phrase is everything – keep it safe

If you’ve already spent any amount of time in the crypto and NFT space, you’ve hopefully already heard about the importance of keeping your seed phrase safe. 


This magical 12/24-word phrase (sometimes also known as “secret recovery phrase”) is the metaphorical key to the kingdom: anyone with your seed phrase attains full access to the private keys for your wallet and assets, including any NFTs you hold. So it almost goes without saying: Never - Share - Your - Seed Phrase!


The only time you should be entering your seed phrase anywhere, is in the relatively rare scenario that you need to restore access to your wallet. And the only place you should be entering it, is into a software or hardware wallet that you’ve triple-checked is safe, and not a fake wallet site.


So, now that we’ve established the importance of your seed phrase, let’s talk about the best way to keep it safe.


Store it physically, not digitally

It’s the general consensus (and frankly, common sense) that your seed phrase will be at much greater risk from hacks or breaches, if you store it digitally. So no matter how easy and tempting it might be: don’t store it in your notes-taking app, don’t upload a photo of it to iCloud, and don’t write it in an email and send it to yourself. Instead, you should store your seed phrase offline in a physical format. 


A note on password managers

Some people argue that using a password manager (such as 1Password, LastPass or Dashlane) to store your seed phrase can be acceptable, at least for burner wallets that don’t hold a lot of value. We tend to agree with this exception, but the general recommendation still stands: physical is safer and digital


Paper vs metal storage

One of the most common physical ways of storing a seed phrase is… writing it on a piece of paper. Yep, it’s rudimentary, but writing your seed phrase on a piece of paper and storing it is easy, fast and cheap. 


The drawback of storing your seed phrase on paper is that paper is, well, highly perishable. In the event of a fire, water damage or natural disaster, there’s a big risk your seed phrase could get destroyed.


In order to avoid the risks of paper storage, many serious NFT and crypto investors look to more durable solutions, such as laser engraving or scratching their seed phrase into a stainless steel plate, or storing their seed in a metal capsule. There are many options on the market, and we suggest this comparison site by @lopp for a good overview.


Coldbit Steel – one of many available metal storage options for your seed phrase


Protect it against theft 

While physical storage eliminates the risk of digital data breaches, it makes you vulnerable to old-fashioned theft. Many people choose to store their seed phrase in a safety deposit box – while others get more creative with their hiding places.


If you’re not comfortable that you can sufficiently safeguard against theft, consider splitting your seed phrase into multiple parts, and storing them in different locations.


Plan for redundancy

Accidents happen – so on the off chance that a physical copy of the seed phrase should get destroyed, you will want to have multiple copies, stored in different locations. While this obviously increases the burden on you for safeguarding against theft, it can give you the peace of mind of knowing that you haven’t put all your eggs in one basket.


This step is especially important, if you’re storing your seed phrase on paper.


Use a multi-wallet strategy

As your NFT collection grows, it will quickly become more and more risky to store everything in one wallet. Everytime you use your wallet to connect to websites and transact with smart contracts, you expose yourself to potential attack vectors and scams, and, worst case, risk having your entire NFT portfolio stolen by bad actors.


That’s why spreading your NFTs across multiple wallets can be a good idea: even if one wallet is compromised, you will have limited your losses.


The drawback of using multiple wallets is of course the inevitable fees incurred by having to transfer your NFTs back and forth. You’ll have to make up your own mind about the risks and tradeoffs in your portfolio – but don’t risk losing all your most valuable NFTs at once, just to save a bit of gas here and there.


You can use as many wallets as you deem necessary, but a good starting point (and widely used among Shiny members) is to start with two common types of wallets: The “Burner” and the “Vault”.


The Burner: for connecting, minting and interacting

You may have heard horror stories of NFT collectors, who – upon signing a transaction with their wallet – have suddenly seen all their precious NFTs (worth tens or hundreds of thousands of dollars) vanish in thin air.


A “burner wallet” is a wallet created specifically for connecting to websites and smart contracts, minting NFTs, approving transactions, claiming airdrops, or any other such “risky” activities. 


Gus Fring, the OG degen


Your burner wallet should only ever contain a relatively small amount of crypto (e.g. just enough to pay for whatever you’re planning to mint), and only a few and/or low value NFTs. In that way you will have minimized your losses, if the worst should happen, and can “burn” your wallet to start fresh.


The biggest degens often end up using many burner wallets to compartmentalize further – but creating a single one is a great way to start.


The Vault: for safe-keeping and long-term storage

A “vault” is a wallet used for storing your long-term investments and high-value NFTs. This is your Fort Knox: where you keep your most precious shiny objects. Finally flipped your way to a BAYC? Vault it. Planning to hodl a Fidenza? Vault it. Bought a Shiny Magpie? Definitely vault it.


In order to protect your vault, you should keep it walled-off from interacting with websites and smart contracts as much as possible. If you need to do anything even slightly “risky” with an NFT (such as using it in a transaction with a smart contract, you’re not super familiar with), you should always transfer it out of your vault and into your burner (or another wallet) first.


It is highly recommended that your vault is stored on a hardware wallet.


Go offline with a hardware wallet

A hardware wallet is a fantastic level up in security, for those who are more serious protecting their NFT collections. Really, anyone who’s investment into NFTs and crypto has grown beyond the ‘lunch money’ stages should consider getting one. I personally use a Ledger, but other common brands are Trezor, and GridPlus


Ledger and Trezor are some of the most popular choices for hardware wallets


Why use a hardware wallet?

Let’s start by clearing up a common misconception about hardware wallets: 


A hardware wallet does not actually “store” your NFTs or other crypto assets. Rather, your hardware wallet holds your seed phrase and private keys, and ensures they always stay offline. 


Because software wallets are typically connected to the internet (commonly referred to as “hot wallets”), there’s always going to be an inherent risk that your seed phrase and private keys might get compromised.


Hardware wallets solve this problem: with a hardware wallet, your seed phrase and private keys are generated completely offline – and stay that way. Whenever you connect your hardware wallet to a laptop to sign a transaction online, the transaction data is sent through to your hardware wallet, where it can be reviewed and signed safely offline, before being sent back.


Because your hardware wallet is completely offline, it is important that you never enter or share your seed phrase into any device that’s connected to the internet. Don’t save it in a password manager, and don’t take a picture and store it in iCloud – doing this would essentially destroy one of the main security measures of a hardware wallet: that your seed phrase is 100% offline.


What happens if my hardware wallet is lost or stolen?

Because a hardware wallet doesn’t actually “store” your NFTs (but rather, your seed phrase and private keys) that also means that even if your wallet is destroyed, your Magpies, Feathers and other Shiny Objects are still safe on the blockchain. As long as you’ve got a copy of your seed phrase stored safely, you can buy a new hardware wallet, import the seed, and restore access.


If your hardware wallet is stolen, you will generally also be safe. Hardware wallets typically use a PIN code for verification – and most hardware wallets are set up so that if you enter the wrong PIN 3 times, the wallet resets. So as long as your thief doesn’t also have your PIN, your wallet is safe.


Regularly check (and revoke) your allowances

“Allowances” are the different types of permissions that allow smart contracts to interact with the tokens (ie. NFTs) in your wallet on your behalf, for example to retrieve or transfer them. Often this is completely benign, e.g. the ‘approve this item for sale’ transaction that’s required by OpenSea, before you can sell NFTs from a particular collection on their platform.


Over time you will undoubtedly approve a large number of allowances from many sources, so a good practice is to regularly check on them – and revoke the ones that are no longer actively needed. If left unchecked, some allowances can potentially become attack vectors, if bad actors somehow find ways to take advantage.


Luckily, there are many tools out there that make it easy to check (and revoke) allowances, such as Revoke.cash, ETH-Allowance, Unrekt and DeBank.



Part 2. Know your enemy: Common scams and how to avoid them


DM scams

One of the most common ways for both spammers and scammers to get at you is to slide into your direct messages (DMs) on Discord or Twitter. 


Often the messages will just be annoying spam, e.g. desperate souls shilling some hopeless project. But DMs are also used by scammers that try to impersonate moderators or pass themselves off as applications such as Collab.land to defraud you.


The solution to this problem is simple: turn off your DMs. Actually, because the problem is so common, most communities actively encourage turning off DMs, and have clear guidelines stating that moderators will never cold-DM you.


To turn off DMs in Discord: Go to a server in Discord → Click ‘Privacy Settings’ → Turn off ‘Allow direct messages from server members’

Turning off DMs is just three clicks in Discord


Hacked Discord servers


Unfortunately, turning off DMs is not always enough to protect you. Discord hacking is rampant, so it’s important to stay vigilant, even in communities you would normally consider safe.


The NFT space tends to move fast. Surprise drops that mint out in minutes or seconds, have primed collectors to move fast and ask questions later. Hackers abuse this instinct: after compromising a Discord server or moderator account, they will announce things like “surprise mints” that link members to a fake website.


Fake minting, wallet or marketplace websites


Fake websites are one of the most widespread tools that scammers use for defrauding NFT collectors. Common examples are fake minting websites, designed to look like the minting website for a popular collection, and fake wallet websites, designed to look like the interface of a popular wallet, such as Metamask. Recently, we’ve even seen examples of fake marketplace websites popping up at the top of Google Search results:

https://twitter.com/ElectionDayMad1/status/1487044004848058373


The fake sites will often look identical to the real version, so you’ll need to carefully double check that the URL is legitimate. Look for an “official-links” channel in the Discord, or check the project’s Twitter bio to find the right link. 


Make sure to pay attention: scammers will often try to use URLs that are super close to the real thing (e.g. “looksralre.org” vs “looksrare.org” in the tweet above).

Find links in the #official-links channel (most Discords have one), or in the official Twitter bio


Fake NFT collections


Fake NFT collections are “duplicate” collections created by scammers on the various NFT marketplaces, in hopes that unwitting collectors will mistake it for the real thing.


The best way to avoid this scam is to always look for verified collections: these are collections that the marketplace has officially verified as legitimate. 


Look for the blue checkmark - it signifies verified accounts and collections


However, because verification is generally reserved for projects with a lot of activity, it might not always be an option. In those cases, the best way to be safe is to look at the number of items and owners, the floor price, and - most importantly - the activity. Fake collections will generally have much fewer items and owners, and much lower activity than the official collection.


Lastly, as with fake websites, it can be a good idea to verify the collection URL by looking at the “official-links” channel in Discord, or in the project’s Twitter bio.


Airdropped “honeypot” NFTs

One of the both wonderful and scary things about blockchains is that everything is public. That also means that anyone, who happens upon your wallet address, is able to ‘airdrop’ you an NFT.


While ‘airdrops’ are often used in positive ways to reward collectors, they can also be used for scams. It’s fairly common to discover that an unknown NFT has suddenly shown up in your wallet.


If this happens to you, the most important thing to remember is: don’t interact with airdropped NFTs that you’re not familiar with!


Often these NFTs are “honeypots”: designed to lure you in with the promise of a nice, free NFT, only to compromise your wallet as soon as you interact with the malicious smart contract.


Instead, we recommend just hiding airdropped NFT’s from your profile.



Phew, you made it! If you’re still with us, you should now be much better equipped to avoid some of the most common scams and pitfalls in the NFT space.


The space is constantly growing and evolving – and unfortunately the scammers are also getting smarter and craftier every day. So stay vigilant, and take care of your shiny objects!



TL;DR Version


Part 1. Playing defense: Managing your seed phrase and wallets securely


Your seed phrase is everything – keep it safe

  • Keep your seed phrase secure – it’s the master key for accessing your wallet and assets
  • Saving your seed in a password manager can be acceptable for low-value wallets, but puts you at risk of hacking or data breaches.
  • Storing your seed physically (and not digitally) is highly recommended, if you hold any NFTs or crypto assets of real value.
  • You can store your seed on a good ol’ piece of paper, or splurge for a fire- and waterproof metal storage solution for maximum safety.
  • Protect yourself against theft by storing your seed phrase in a safety deposit box (or get creative with your hiding place)
  • For redundancy, make multiple copies of your seed and store them in different locations. This is especially important, if you’re storing your seed on paper.


Use a multi-wallet strategy

  • Spread your NFTs across multiple wallets, once you start getting more serious about your NFT investments. That way you won’t risk losing everything at once, if a wallet is compromised.
  • Use a “burner” wallet (that only holds a small amount of crypto) for connecting to websites, minting NFTs, joining giveaways or interacting with smart contracts in other ways that you’re not 100% certain about.
  • Use a separate “vault” wallet for storing your long-term investments and high-value NFTs. Keep your vault walled-off from any suspicious websites and random smart contracts: transfer out your NFTs to another wallet, once you need them again.
  • We recommend getting a hardware wallet to use as your vault.


Go offline with a hardware wallet - TL;DR

  • Buy a hardware wallet (such as Ledger, Trezor, or GridPlus. ), as soon as you are beyond the ‘lunch money’ stages of investing in NFTs and crypto.
  • A hardware wallet doesn’t actually “store” your NFTs; it stores your seed phrase and private keys, and ensures they always stay offline.
  • If your hardware wallet is lost or stolen, your NFTs are still safe on the blockchain (as long as your PIN wasn't also stolen). Buy a new hardware wallet and restore access using your seed phrase.
  • Never create a digital copy of your hardware wallet’s seed phrase, as this will compromise one of its main security features: being 100% offline.


Regularly check (and revoke) allowances

  • “Allowances” are the different types of permissions that allow smart contracts to interact with the tokens (ie. NFTs) in your wallet.
  • It’s a good security practice to regularly check these allowances, and revoke the ones that are no longer actively needed.
  • Tools such as Revoke.cash, ETH-Allowance, Unrekt and DeBank make it easy to view and manage allowances.


Part 2. Know your enemy: Common scams and how to avoid them


DM scam

  • One of the most common ways for scammers to get at you is to slide into your direct messages (DMs) on Discord or Twitter.
  • The solution to this problem is simple: turn off your DMs. 
  • Go to a server in Discord → Click ‘Privacy Settings’ → Turn off ‘Allow direct messages from server members’


Hacked Discord servers

  • Discord hacking is rampant, so it’s important to stay vigilant, even in communities you would normally consider safe.
  • Hackers abuse the fact that NFT collectors are primed to “shoot first and ask questions later” by announcing fake “surprise drops”, etc
  • Always be highly skeptical of any erratic behavior, sudden activity or strange URLs, even if it’s coming from official mods. 


Fake minting, wallet or marketplace websites

  • Fake websites are one of the most widespread tools that scammers use for defrauding NFT collectors. 
  • Common examples are fake minting websites, fake wallets, and fake marketplaces.
  • The fake sites will often look identical to the real version, so you’ll need to carefully double check that the URL is legitimate. 
  • Look for an “official-links” channel in the Discord, or check the project’s Twitter bio to find the right link.


Fake NFT collections

  • Fake NFT collections are “duplicate” collections created on the various NFT marketplaces, in hopes that unwitting collectors will mistake it for the real thing.
  • Look for the blue checkmark that denotes verified collections.
  • Check the number of items and owners, floor price, and activity. Fake collections typically have much lower activity than the official collection.
  • Verify the collection URL by looking at the “official-links” channel in Discord, or in the project’s Twitter bio.


Airdropped “honeypot” NFTs

  • Because everything on the blockchain is public, anyone can ‘airdrop’ an NFT to your wallet address.
  • If an unexpected NFT shows up in your wallet, do not interact with it! 
  • It’s likely a “honeypot” scam, designed to trick you into interacting with a malicious smart contract
  • Hide the item from your profile, and don’t interact with it