Can Airdropped NFTs Steal Everything?

Header image: Designed Consciousness: First Call by Idongesit Obok

What are NFT airdrops?

In web3, wallet addresses are publicly viewable on tx records and even promoted on a person’s Twitter — as is the case with, for example, the Ethereum Name Service (ENS) and all of those .eth names you may have seen. Knowing your wallet address means that anyone can send you an NFT. In fact, I have dozens of airdropped NFTs in my wallet that I’ve never bothered to look at.

If you’re curious to see your airdropped NFTs, on OpenSea, for instance, you can find them on your Profile > More > Hidden.

What you find there are likely the starting points for a range of elaborate scams.

When are airdrops NOT scams?

By this point, the legit players in the web3 community are aware that random airdrops look suspicious. So why and how would someone send a sincere gift via airdrop? In most cases, legit airdrops can be categorized as acquisition marketing, loyalty rewards, and/or as a gesture of “utility.” 

If it doesn’t benefit the sender in some way, if only by engendering your goodwill, then you can assume it’s only there because of a scam. 

Let’s take a minute to think about the current state of the market and why FOMO tactics of six months ago should no longer work. That is if you’ve updated your mental model of the current NFT space.

Before the onset of crypto winter, money was flying around, and projects were trying to generate hype and massive amounts of capital. When the bull went bear, projects started to either:

1. Die a fast death by anon founders exiting under cover of blockchain night
2. Die a slow death by dwindling interest and floor prices
3. Persist in the form of a company or DAO with a highly motivated, competent core team running the show
4. Or the tragically common sad case of a blend of 2 and 3

The web3 projects that will succeed don’t just want any financial investor. They want personally invested financial investors. In other words, they want business partners. 

Now, who, in their right mind, goes looking for business partners by randomly selecting Twitter accounts? 

Think about an airdrop as a random invitation to work a job you’ve never heard of. Less appealing when you think of it that way.

How are Airdrops used in scams?

Airdropped NFTs are often safe and do not pose a threat to your investments. It’s what you do with them that can be harmful. For a refresher on personal web3 safety, read Staying Safe with NFTs and Web3 and How to Stay Safe on Discord. The TL;DR in web3 security always comes down to three rules:

1. Never give anyone your private seed phrase.
2. If it’s too good to be true, it is.
3. Never give anyone your private seed phrase.

In September 2021, AJ (AKA @babbler_dabbler) tweeted that his wallet had been stolen and his NFT collection (including Damian Hirst’s work “The Currency”) was gone. According to AJ, his only mistake was interacting with the airdropped NFTs in his wallet.

However, a pair of developers in conversation with CoinDesk, say that AJ’s version of things is highly unlikely, perhaps impossible.

On-chain investigators found that AJ’s very own Ethereum address accepted a low bid for his Damien Hirst NFT, and as pseudonymous Solidity developer Foobar tweeted, there was no elaborate contract responsible for transferring his holdings. His own address did the deed, and the whole scam was nothing more than a private key compromise.

The more likely scenario probably goes something like this:

You get notified of a bid on an NFT you didn’t know you own. It’s a good-looking NFT, and the WETH bid isn’t crazy, but it ain’t bad. Maybe you got it from being such a clever chap on Twitter or for retweeting something in the feverish way you retweet things? 

At any rate, in this market, you’re happy to sell off something you didn’t know you had for a little liquidity padding. But when you go to accept the offer, you get an error message.

That’s odd.

The WETH isn’t there.

What’s wrong? 

If you go sniffing, you’ll find that you need to interact with the NFT to get the transaction to work. You’ll be redirected to the project page, where you’ll be asked to connect your wallet, and you will connect your wallet, and this will be your downfall.

When curious about the shiny new NFT you just found in your wallet, DON’T FORGET YOUR TRAINING.

1. Do not click on any suspicious links. This is the most common way people are deceived
2. Double-check email addresses, spellcheck every letter like a fiend, find official links if you suspect an imposter, and NEVER enter your seed phrase or screen share with strangers.
3. Keep your private keys and mnemonic words, do not share your computer screen and take the most basic security protection measures.

How to identify scammy NFT airdrops?

If you got an NFT airdrop, consider the below red flags:

• 🚩 How does this airdrop reward the airdropper? Is it my goodwill or interest in a project that I have reason to believe would actually airdrop, of all people, me something? 
• 🚩 If you think this is a marketing or loyalty-related airdrop, ask yourself: Have they followed up on this gift? There’s no such thing as a free lunch. Even if all they’re after is your good vibes, did they get any good vibes? If not, something’s up. 
• 🚩 Does it ask for you to pay a fee to receive the airdrop?
• 🚩 Does it ask for your wallet details? Like the password?
• 🚩 Does it ask for screen sharing? (This is the most basic sign of online scams)
• 🚩 Is the brand unverified? Is the NFT airdrop unverified?
• 🚩 Does it redirect you to an unknown link? Does this new page ask you to enter a wallet phrase or password?
• 🚩 Is the offer too good to be true? If it is, take a step back and reconsider your choice.

If you find yourself in this situation, it’s as easy as ignoring the NFTs altogether. If you’d prefer, you can find a burn wallet online and send any and all suspicious NFTs there.