What we call the Web3 ecosystem—a compilation of decentralized finance, tooling, and governance—can be a dangerous place. One of the first articles we published by ALANA was about vetting Web3 projects, enabling users to make informed decisions about the projects they encounter through a step-by-step process. We recently felt this guide could use a hefty upgrade with more resources attached to it, and based on the latest knowledge available to us.

The digital space is full of risks, and so is the latest version of the internet, Web3. The only difference here is that in Web2, you can often get your money back or file a lawsuit against a legal entity. In contrast, in Web3, where autonomy is a significant pillar, this may not be a possibility.

Part of learning how to keep yourself safe is knowing the types of dangers that exist out here, so you can foresee them long before they launch their attack. The truth is that Web3 offers users freedom, but it also introduces numerous ways in which people can be taken advantage of:

• RUG PULL
  The project creator(s) vanish with the invested funds after artificially raising (pump and dump) the value of a token connected to a protocol.

• PHISHING
  Scammers create fake websites, emails, or social profiles to trick people into giving away private keys or seed phrases. They often approach users via social media or email, claiming they have some surprising locked funds in a wallet they didn't know of. But phishing takes on many shapes and forms!

• ICE PHISHING
  Attackers manipulate transaction approvals within the wallet UI to gain access to assets without needing a seed phrase. It is not as common, but it has happened.

• AIRDROP SCAM/ FAKE GIVEAWAYS
  You may have noticed random tokens being added to your wallet. Some of these encourage users to visit harmful sites and potentially connect their wallets.

• FAKE NFT SCAM
  Fraudulent NFTs are often sold by copying the visuals and names of legitimate NFT collections. The price will be the same, but the value won't.

• DIRECT SEED PHRASE THEFT
  Individuals who lure users to scam sites or fake apps, prompting users to enter their recovery phrase, which enables total control over their assets.

• SPOOFING
  Scammers impersonate a real project, often posing as support staff, to gain trust and access personal information. These schemes can be short-term or long-term.

• CRYPTO DRAINER
  These attacks often happen in a way that the user is entirely unaware. They visit a site, connect their wallet to a malicious smart contract (due to a fake website, for example), sign a transaction, and this is enough to drain the wallet of all of its assets.

Now you know all the scary things that can happen. But similar to understanding that car accidents are horribly common, it will not lead you to suddenly not drive your car or walk down the street to the next supermarket while crossing a lively street. While not precisely the same situation, it is worth learning more about the dangers of Web3 so you can navigate them like an experienced driver would!

At ALANA, we believe in the autonomy that Web3 provides to us, the users. This autonomy, while it gifts freedom, also asks users to take responsibility at the same time. Your responsibility is to not get scammed easily and prepare by learning about the dangers and what methods you can use to protect yourself against them:

• INVESTIGATE
  Before investing your time and energy in a project, ensure that you thoroughly investigate it. Make sure to look at their various social media accounts and how legit they seem. Ask public questions, read their Whitepaper, and be inquisitive. It is your right to do that, so don't forfeit it! If possible, try to find the founders and their profiles on LinkedIn. Investigate their past businesses, failures, and successes. Twitter remains the primary social platform for Web3-related projects. We recommend investigating the project profiles and founder profiles on there as well.

• RESEARCH
  Especially if tokens and so-called tokenomics are involved, follow up on the tokens' purpose, distribution, early investor allocations (how evenly is the token distributed), and so-called vesting times (how long are tokens locked until they are released to investors and project founders). Especially with initial token allocations, it is vital to understand how much of the token will end up in the hands of a few vs. the community or public.

• GOVERNANCE
  Decentralized governance (ruling over a protocol, technology, and/or treasury) is often done with tokens in Web3. If the initial token allocation is done in a highly unbalanced manner, it typically leads to unbalanced and non-democratic governance. You have to decide if being part of such a system feels healthy to you. It doesn't mean those communities/projects are inherently bad; it just means that an inequitable system is in place that rules the technology/project you are interested in.

• REPORTING
  If anything doesn't add up or you feel there are elements missing from their documentation, don't hesitate to ask for their smart contract audits (underlying piece of technology often embedded in Web3 projects and protocol technologies).

• TECH STACK
  Some, but not all, Web3 projects are open-source. If so, the case provides an opportunity to investigate the project's GitHub repository. If you are not a coder, you can take a look at the consistency of the development activity on the platform.

• SOCIAL DYNAMICS
  One of the most overlooked parts to investigate is the community itself. Join their Discord or Telegram channels, review their sentiment, value alignment, and especially in hype communities, be the one demanding constructive feedback instead of buying into the buzz!

• UPDATES
  It may sound unusual, but when interacting with novel technologies, ensure that all your computer/phone software is regularly updated, two-factor authentication is active on all your devices, and you are not using insecure connections (such as hotel WiFi) to perform transactions or similar activities. I use Airalo when traveling to ensure I always have a reliable and secure way to connect to the internet.

• MARKET REVIEW
  If the project you are interested in happens to have a token that has the primary use case of financial utility, make sure to review its market situation and liquidity. Many tokens don't exist for economic purposes but instead for governance and introducing democratic rule over a technology stack/protocol. Be aware of the difference here. If it is a financial first token, you can review the liquidity and broader market, for example, via coingecko or CoinMarketCap. Thin liquidity with economically driven projects is a red flag. First, track their trading volume and historical performance before taking risky steps.

• RISK OVERLOAD
  With every financial investment, there is risk. As long as you have all the information first, you can invest, but never ever invest everything you have into anything. Make small, incremental investments if you are getting started on the DeFi (decentralized finance) road of Web3 through a project you are interested in. Diversify early and stay small!

In general, at ALANA, we recommend investigating and researching before buying into hype, regardless of how much a good friend recommends "get in early." This is exactly the point where bad things tend to happen, and we do not want that for you. Additionally, we suggest you hold more than one wallet. Hold one that you use with trusted resources such as Uniswap or deBridge, while using a second wallet to interact specifically with new protocols and technologies to test your way forward.

You are not the first nor the last person seeking out help in the digital space and the Web3 space to stay safe. Many resources aside from our educational materials here at ALANA have been created since I first joined Web3 almost six years ago. Here are some I have relied on quite a bit to stay informed and be in the know, not just about scams but also about the broader growth of Web3:

• rekt news - Reports regularly on major scams, drains, exploits, and similar in the Web3 space. Worth following and staying attentive.

• Web3Sec - A website with a newsletter that sends news around security risks and hacks directly to your inbox.

• Web3 is Going Just Great - A website plus an optional newsletter by Molly White on everything that is harming Web3 and making the good people there a bit sad.

• Peer Tracker - The Department of Financial Protection & Innovation has created a tracker that relies on consumers reporting incidents.

• Alchemy - Provides an overview and filtering system of recognized dApps (decentralized applications) in the Web3 ecosystem. It is a reliable resource for much more and allows new users to quickly catch up.

• DefiLlama Hacks - DefiLlama carries a sub-section on their website showcasing hacks and the volume they have bled out of the Web3 sector.

• Growthepie - An analytics platform focused on Layer 2 blockchains under Ethereum (Layer 1) that provides deeper information on most, if not all, of the L2 blockchain networks. While it is not explicitly focused on hacks or exploits, it can help you understand the broader ecosystem.

Web3 is not for the faint-hearted, but it becomes incredibly useful and valuable once you start understanding it. The reasons are straightforward: ownership of your data, transparency on technology, heightened security (especially regarding the AI (artificial intelligence) era), and democratic rule over technology and its evolution. More on these at another time.

Stay safe, ALANA Adventurers!

This article was authored by Stella Achenbach, a DAO member of The ALANA Project.

Find The ALANA Project on:

• TELEGRAM

• LINKEDIN

• FARCASTER

• YOUTUBE

• INSTAGRAM

• TIKTOK

• X