Free NFT mint offers can be legitimate, but more often than not they are a scam designed to steal your crypto assets in one way or another. If you decide to participate in a free mint, use a fresh wallet with no assets held on it, and pay close attention to the permissions requested from the minting smart contract. It is also worth searching the contract itself for any undisclosed minting fees.

Overview

If something looks too good to be true, it probably is. Projects offering a free NFT mint can, in some rare circumstances, be legitimate. But more often than not the promise of a free NFT is a vehicle for a scam designed to steal your crypto assets. Free mints tend to fall into one of four categories: marketing for a legitimate project; royalty farming on secondary sales; hidden minting fees; and malicious contracts.

Keep in mind, I am specifically referring to free mint offers - that is, you can connect to a smart contract and mint an NFT for free (minus gas fees). Giveaways that award someone with an NFT are different, and generally much safer as it only involves them transferring the already-minted NFT to your wallet.

With that out of the way, let’s dive in…

Marketing

Sometimes, a project is looking to prime the pump on their minting. Let’s say a 10k project wants to build some hype: they might run a giveaway for a free mint on the first X NFTs as a marketing gimmick, then all mints after those will be paid. Often times people will have to jump through a few hoops before they can mint, such as tweeting hashtags/retweeting the team, inviting people into their discord, or otherwise shilling the project.

This is a legitimate use case for free mints, and depending on how many tasks you have to complete it’s not a bad way to get into some projects. That said, keep a close eye on the project’s socials, make sure they’re being open and transparent about their terms, and that they are actually following through with letting people mint.

Royalty Farming

In this case the mint is indeed free, and the project owner is hoping to make some money from royalties on the secondary sales. These projects are often spun up quickly, so it’s not uncommon for them to use stolen art, or art that is a lazy derivative of a popular project.

Basically, if there is a ton of hype around a particular project, dozens of copycats will will spring up hoping to cash in on it. Take a look at what their royalties are set to - if they are well above the normal amount (OpenSea defaults to 2.5%, for example), it’s probably just a cash grab. Minting one of these won’t necessarily put your own assets at risk, but you will be supporting a potential scammer and content thief all the same. The choice is yours, but personally I think the NFT space could do without projects like this.

Hidden Fees

Now we’re getting into true fraud. Sometimes, a free mint isn’t actually free. Instead, there is a small, undisclosed charge of around .005 ETH that most people don’t notice. After all, they’re still paying a gas fee for the mint, so the tiny amount on top of that flies under the radar. While each minter might only lose $10-$15 from the hidden fee, the total amount pulled in by the scammer can add up fast, especially if they have multiple such projects active.

You can see the mint fee clearly in the smart contract, even if you’re not a coder. A quick way to find it is to copy/paste the entire contract into a text editor, then do a page search for words like “mint”, “fee”, and “price”:

These scams are usually riding the hype from some other popular project, and they want people to mint quickly before A) the hype dies down, and B) people catch on that there’s actually a mint fee. Watch for lots of urgency and FOMO-inducing language in their socials, including counters on their site showing how many free mints are left (which are often faked, and will reset if the page is reloaded). Remember, there is always time to research a project to keep yourself and your assets safe.

Malicious Contracts

These are contracts that are designed to drain one or more assets from your wallet as soon as you connect it. Sometimes, the contracts are are part of a targeted phishing campaign, and coded to look for and transfer specific high-value items like BAYC or Azuki NFTs. More often though, the contract will attempt to transfer out any and all tokens held by the wallet, and it can do so based on the permissions a user gives it when connecting.

I’ve written previously about wallet safety, but it’s always worth repeating: pay close attention to the permissions a site asks for whenever connecting your wallet. If a free mint site is asking for unlimited approval and automated transactions, that’s a huge red flag. Also worth repeating: the wallet you use to mint, store assets, and navigate Web3 sites should not be the same - use a separate wallet for each of those things.

The Takeaway

Free mints are very rarely free. Assuming the project is legitimate and not charging hidden fees or trying to steal your funds, you will often still pay with your time and attention (this exchange sums things up nicely). For any NFT minting, always use a fresh wallet, and pay close attention to the permissions being asked for before connecting. Remember, there is always time to DYOR on a project, even a “free” one.

Have a question, comment, tip, inside info, or anything else? Email KnowYourCrook@ProtonMail.com

Bottom Line Up Front

Keeping your funds secure is an ongoing process that requires regular attention and action. Wallets should be disconnected from dapps and websites you are not currently using, and permissions should be revoked for projects you’re no longer invested in. Use separate wallets for holding, DEX trading, and yield farming. If you have high value NFTs, they should be held in separate wallets as well. Never store funds on a CEX or any other custodial wallet, and never, under any circumstances, give out your seed phrase or private key.

Overview

Crypto assets like tokens and NFTs are stored on their respective blockchains. Wallets hold the keys that give you access to those assets, allowing you to interact with them. For web3 websites and dapps, wallets also act as login credentials, allowing you to access your account in lieu of (or sometimes in conjunction with) entering a username and password. If you lose control of your wallet or private key/seed phrase, you lose control of your assets and web3 accounts. Needless to say, keeping your wallet safe should be a top priority.

As with everything in crypto, understanding your own threat model is important here. Somebody holding 7-8 figures in crypto and multiple NFTs worth hundreds of ETH each has a very different threat model than someone who put a few dollars into Coinbase because of a Super Bowl ad. What follows are tips and best practices for keeping your wallet and keys secure. You decide, based on your own threat model and risk tolerance, what steps are appropriate for you to take.

Private Key, Public Key, and Seed Phrase

Every crypto account has two 256-bit keys associated with it: a public key which allows the account to receive funds, and a private key which allows it to send funds. The account’s address (0x…. on most chains) is simply a hash of its public key. So, knowing a wallet address only gives someone access to send funds to it, not withdraw funds from it. To withdraw funds, you need the private key, or its seed phrase.

Basically, the seed phrase is a 12-24 word passphrase that a wallet can use to derive the account’s private key. The only time you will ever have to enter your seed phrase is if you are importing an existing account into a wallet. For example, if you use the mobile-based TrustWallet and you get a new phone, you will have to download the TrustWallet app and enter your seed phrase to import your account. Same thing if you use a browser-based wallet like Metamask, and want to import a new account.

That’s it.

You will never have to enter your seed phrase for tech support, connecting to a website, entering a giveaway, using a CEX/DEX, or anything else other than to import an account into a wallet.

Here are some tips for keeping your seed phrase secure:

• Do not store your seed phrase anywhere online (iCloud, Google Drive, in an email, etc), on your phone, or on your computer. If you do, at least make sure it’s encrypted and not in clear text.

• Have your seed phrase physically written out, ideally on durable/fireproof materials, and stored in multiple separate locations. For example, have one copy in a fire safe at home, and another hidden in your car (assuming you’re not at risk of break-ins/theft), and if you have any land buried in an underground lockbox.

• Use a hardware wallet, such as Ledger or Trezor. Be sure to purchase them from their official sites, and not 3rd party resellers, as fake hardware wallets can be compromised.

• For those with complex threat models, such as people handling high value or public accounts, never read a seed phrase aloud, or ever have it in view of a camera. Computers and cellphones may be compromised by malware that gives attackers access to the camera and microphone.

Check Connected Sites

Every time you connect your wallet to a website or dapp, it will usually stay connected until you explicitly disconnect it. It’s generally good practice to disconnect your wallet from any site you’re not actively using, in case the site is compromised by bad actors. Think of it this way: the more places that you’ve given permission to access your wallet, the more directions bad actors could attack you from. For most wallets, you can view the connected sites in the account settings.

When connecting to a site, pay close attention to the permissions it’s asking for:

Malicious sites or dapps can ask for unlimited access to your funds, effectively allowing them to drain everything from your wallet once you connect. In the example above, PancakeSwap is asking to view my address/funds/history (which is all publicly available on a block explorer) and to suggest transactions to approve. If a site or dapp is requesting permission to access or spend your funds directly, it is likely a malicious site.

Review Smart Contract Allowances

Similar to connected sites, you must explicitly give permission for your wallet to interact with any smart contracts, most often to buy and sell tokens. This permission remains in effect until you revoke it. Sites like UnRekt can help scan for your current allowances, as can tools available on most blockchain explorers. If you are no longer invested in a token, or you invested in a token that turned out to be a scam, it’s best to revoke allowances from that contract as soon as possible.

Be aware, revoking allowances is a transaction that you’ll have to pay a gas fee for, so if you’re doing so on networks like Etherium that tend to have  high gas fees, you may want to wait until gas fees are low before revoking permissions.

You can find allowance checkers for their respective chains here:

• Ethereum (ETH)

• Binance Smartchain (BSC)

• Polygon (MATIC)

• Avalanch (AVAX)

• Fantom (FTM)

Avoid Holding on Custodial Wallets

Centralized exchanges (CEXs) like Coinbase and Binance use custodial wallets to handle users' funds. That is, your funds are stored in a wallet that you don’t own. You do not have the private key or seed phrase for the wallet your funds are in, which means you do not ultimately control them. As the popular saying goes: no keys, no cheese.

CEXs are generally safe to use, but are regular targets for hackers, so funds should not be stored on them long-term. If you are going to use a CEX, transfer funds in, execute your trades, then move funds back out to a wallet that you have full control over.

Use Multiple Wallets

You never want to have all your eggs in one basket - if you hold all of your assets in a single wallet and it gets compromised, you lose everything. On most popular wallets, you can make new accounts with just a few clicks or taps, so take advantage of that. Have one wallet (ideally a hardware wallet) for long-term holds, one for trading on decentralized exchanges (DEXs) like PancakeSwap and Uniswap, and one for riskier degen plays. If you own high-value NFTs, consider holding each one in their own wallet, or holding them in one wallet but use a separate one for trading them. The same goes for important web3 accounts - have a wallet dedicated to each one.

Much like diversifying your investment portfolio, you want to diversify where and how your assets are held. Every time you connect to a site, interact with a smart contract, or execute a trade, you are exposing yourself to some level of risk. So at the very least, you should have separate wallets for holding and trading.

Bookmark Frequently Used Sites

Trading sites like PancakeSwap, TraderJoe, and dapps associated with popular projects are common targets for phishing attempts. A copycat site with a similar URL and identical (or nearly so) layout is set up in hopes that people will connect their wallets, allowing the scammer to drain its assets. As an added layer of security, bookmarking regularly used sites gives you a visual indication that you’re in the right place. The “Name Spoofing” section of this post goes over some ways the URL of a phishing site might be disguised.

Have Dedicated Crypto Accounts and Devices

For those that want a extra layer of security, consider having a separate computer dedicated to crypto, and nothing else. This device should not be used for social media, general web browsing, gaming, or anything else outside of conducting crypto transactions. It should not be signed in to any Google, iCloud, or other personal accounts either, unless you have a dedicated crypto account with those services that is not linked to your personal accounts. Always use a VPN when going online, and never do so on public Wi-Fi.

Essentially, you want a firewall between your personal and crypto-related activity, so if any of your personal accounts or devices are compromised, your crypto assets won’t be at risk.

The Takeaway

Your wallets, and the seed phrases that allow access to them, are the most important things to secure in crypto. How you choose to secure them is up to you, and should be based on your own threat model and risk tolerance. That said, some of these measures are trivial to do, and will greatly increase your security. If nothing else, disconnect from sites and dapps when you are done with them, don’t leave funds on a CEX, and use separate wallets for holding and trading. If a wallet is somehow compromised, at least the losses won’t be absolute.

Have a question, comment, tip, inside info, or anything else? Email KnowYourCrook@ProtonMail.com

Block explorers like Etherscan and BSCscan contain a wealth of information about a wallet or smart contract, but can be overwhelming to navigate. This first of two guides will explain what each piece of information is, and what they mean. The next guide will go into more detail about how the information can be used in research and investigations.

Overview

Everything done on a blockchain - every transaction, every swap, every contract signing - is public. Block explorers are how you can search, view, and analyze that data. Every major blockchain (ETH, BSC, AVAX, etc)  has its own explorer, and each explorer will only show information for that chain (so, you can only view ETH tokens/transactions on Etherscan, for example). But, they are all formatted the same, so if you learn your way around one you’re good to go with the others. Now, let’s dive in.

Wallet/Contract Information

1. The wallet or contract address you are viewing (both are viewed in the same way on block explorers)

2. This button will open a new window with links to every other blockchain the wallet has activity on. For example, if you hold both ETH and BNB in the same wallet, this button would show links for Etherscan and BSCscan.

3. A label given to the address by the owner or the explorer. While usually a token name or name of its function (like Contract Deployer), sometimes the explorer will label malicious contracts or wallets associated with major hacks.

4. The balance of the blockchain’s native token held by the wallet. So, on BSCscan, it will show BNB only.

5. The current value and price of the native token held.

6. Dropdown menu will show the name, quantity, and value of all other tokens held by the wallet, with their total value displayed on the dropdown window. This total does not include the native token.

7. For contracts, this will show what wallet created the contract, and the transaction hash from when it was done. Very useful when researching a new project to see if the creator has launched any other projects, and where the funding for a project came from.

8. The name and ticker for a token, if you're viewing a smart contract. Clicking on it will bring you to the token itself, where you can view the total supply, holders, transfers, etc. But more on that in part 2.

Transactions

Below the general wallet/contract information is all of the transaction data. Any time a contact is signed by a wallet, tokens are bought/sold/transferred, or anything else at all is done, it will be listed here. There is a lot of info in a small space, but it’s essentially formatted like a spreadsheet, with each row being a single transaction. Let’s take a look.

9. This tab will show you all of the wallet transactions, including transfers, token approvals, contract creations, etc. Even failed transactions will show.

10. This tab will change the data to show only token transactions (buys and sells).

11. Most explorers have built-in analytic tools that show trends for a contract over time. More on those in part 2 of this guide.

12. Anyone can leave a comment on a wallet or contract address. Like the comments section on YouTube, though, this is best ignored. 

13. Every transaction on a blockchain is given a unique identifier, the transaction hash, so that any given action can be indexed and found. Clicking on this will give details on that particular transaction beyond what is shown in the main block explorer page (example below)

14. The type of transaction that took place. Transfer, Contract Creation, Approve, Claim, Stake, etc.

15. How long ago the transaction took place. By default, the format is as pictured (“a day ago”, “12 hours ago”, etc). If you click on “Age”, it will change to a timestamp format.

16. The wallet that initiated the transaction. For transfers, this is where the funds started. If the “From” address is ever a null address (0x000…000), that means a coin or NFT was minted at that transaction. 

17. The address that the “From” wallet interacted with or sent funds to.

18. The value of the funds transferred, shown in the chain’s native token. On the “Token Transaction” tab, this will show the quantity of tokens bought or sold, rather than their native token value.

19. Menu of available filters that let you show only outgoing, incoming, or contract creation transactions (among others).

Transaction Hash

Clicking on the transaction hash will give you more granular details about the transaction. In some cases, multiple actions can take place in a single transaction, such as making several purchases and sending funds to multiple wallets. Some information, like the timestamp and to/from wallets are the same as in the main transaction explorer, so no need to cover those again. Instead, I’ll just highlight what is unique to the transaction hash.

20. The full transaction hash that can be shared or saved. 

21. The actual transactions that took place, step by step. In this case, it was a purchase from PancakeSwap, and there were three transactions behind the scenes to make it happen: the buyer sent BNB to PancakeSwap; PancakeSwap turned that BNB into WBNB; Pancakeswap sent the buyer their purchased tokens. 

22. The BNB and USD value of the purchase. The USD value is shown at current rates (from when the page was opened), but clicking on it will show the estimated USD value at the time of the transaction. 

23. Gas fee paid for the transaction.

24. The BNB closing price on the day of the transaction.

The Takeaway

When researching a potential investment or investigating on-chain activities, block explorers are an invaluable resource. They are a public, permanent, and immutable record of everything that has taken place on a blockchain. In part 2 of the guide, I’ll go into more detail about mapping wallets and tracking transactions, as well as some tools and resources available to analyze the data.

Have a question, comment, tip, inside info, or anything else? Email KnowYourCrook@ProtonMail.com

Someone claiming to be a project support team or admin DMs asking if a question you posted in the channel was ever answered. Regardless of your answer, they will find some pretext to say you need to validate your wallet, and will send you a link to do so. The link is to a phishing site, and will most often ask you to enter your wallet seed phrase.

Overview

The particular approach used in this scam usually comes after a project makes some big announcement, and takes advantage of people asking questions about it. In this case, the SmartCoin team announced it was the last day to request a wallet reputation transfer to a new wallet, but the initial wording was a bit confusing, leading to a lot of questions in the channel.

Here, the scammer forwarded my question into a DM to give themselves a little more credibility. When I said that my question had in fact been answered, they changed tactics and asked if I was participating in the “airdrop bonus”. So, I played along.

They asked me to send my wallet address to “get me through on their data base system”, a phrase which I assume made sense to them. In reality, they probably just wanted to see how much they’d be able to steal from me, so I grabbed the address of some random whale and sent it along.

Obviously satisfied, I was then sent a link, and instructions on how to validate my wallet.

The site they sent me to looked generic enough, until I clicked on “Get Started” and was immediately asked for my seed phrase.

Another common approach to this scam is via email, where the message will come in from an account pretending to be a popular wallet service (Metamask, TrustWallet, etc). The message will usually say your wallet or account is going to be locked soon unless you take action, and ask you to follow a link to “verify your wallet”. As with the example above, the site they link will either try to trick you into giving up your seed phrase, or ask you to connect to a malicious contract that will drain your funds. Your email spam filter will most likely catch these kinds of emails, but sometimes they slip through. Suffice to say, no wallet service will ever email, DM, or otherwise contact you directly asking you to “verify” yourself or your wallet.

The Takeaway

No matter who is asking or how they dress up the request, you should never, under any circumstances, give out your wallet’s seed phrase. It will never be needed for troubleshooting, tech support, connecting to websites/dapps, entering giveaways, or anything else involving another person. Similarly, when connecting your wallet to a site or dapp, pay close attention to the permissions being asked - they should never include unlimited spending, and making transactions without notifying you.

Have a question, comment, tip, inside info, or anything else? Email KnowYourCrook@ProtonMail.com

Bottom Line Up Front

Research into a crypto project can generally be broken into three categories: The dev team; the project fundamentals; and the community. This guide will cover tools and techniques for researching each, red flags to look for, and general tips on how to go about learning as much as you can about a project. This is a reference guide that will be updated regularly to include new tools and services available, emerging threats in the space, and timely examples.

Overview

“Do your own research”, or DYOR is perhaps the most common phrase in crypto today. It is used as both advice and as a disclaimer whenever projects are discussed. But for all the influencers and investors that regularly tell people to DYOR, it’s rare that they ever say exactly how. Well, that’s exactly what this guide seeks to do. Researching a crypto project will be broken down into three categories:

• The dev team, including their experience and past projects

• The project itself, including fundamentals and tokenomics

• The community across all social media platforms

For each category, I’ll provide research tips, free and paid online tools that can be used, red flags to look out for, and plenty of examples. This is by no means a definitive or all-inclusive guide, which is why I will treat it like a living document, with regular updates and additions as appropriate.

General Researching Guidelines

• Take nothing at face value - verify all claims made as best you can

• Use other people’s research as a benchmark for your own, not as a replacement

• Learn to differentiate facts from opinions.

• Get facts from known, trusted sources, and gather as many opinions as possible. People believe a wide spectrum of things, and the truth is usually somewhere in the middle of it all.

• Always do your research before investing, not after.

• Research is a skill. Like any other skill, it takes time to learn and practice to get better.

Developers and Core Team

Researching a project’s developers and core team is the heart of KYC. All other research aside, if a team has a history of failed or abandoned projects, or they have pulled several exit scams in the past, then for me there is no need to research further. Finding this information can be tricky, though, and it’s only one of many things you should be looking at.

Keep in mind, you are not likely to find everything you are looking for in one place. Especially when researching a team that is not fully doxed, it is more like putting together a puzzle, with pieces scattered all around the internet. Ultimately, your goal is to learn as much about the team’s experience, history, and motivations as you can. So, where do you start?

• Is anyone on the team fully doxed? If so, check them out on Linkedin, and google their first and last name in quotes (ex: “Elon Musk”, with the quotes included). Look for any other projects they may have been involved with, and any independent verification of their experience (I can say I was a software engineer at Google on my Linkedin profile, but that doesn’t make it true). Be sure to check the News and Videos sections in Google as well. For developers, look for a Github account associated with their name to see what else they’ve built.

• Do a reverse image search on profile pictures or avatars used by the team:

• Google Images

• Bing Images

• TinEye

• Yandex

• PimEyes - facial search, great for helping to confirm a dox

• Baidu - Chinese site primarily focused on China-based content

• Usernames can be searched on sites like NameCheckup and CheckUserNames. These tools will search for the name across hundreds of sites, allowing you to see where else they might be active.

• If any of the team has a personal Twitter account, AllMyTweets will let you see their most recent (up to 5k) tweets and likes, which may yield some interesting or useful info.

• If in doubt about anything, ask the team directly! If they respond, you have more information that you can verify. If they ignore you or push back on answering, ask yourself why. If you’re banned/blocked from a channel or server for asking, then you know you hit an important question, and should keep digging.

Project Foundation, Fundamentals, and Tokenomics

This research involves looking under the hood of a project to understand what makes it run. The smart contract, website, whitepaper, roadmap, and associated wallets can all hold valuable information about the project.

• Check the contract on TokenSniffer, Scamsniper and Honeypot.is. All are free, and will scan a smart contract for common malicious functions that might give owners the ability to rug. TokenSniffer will show you other smart contracts that have similar or identical code, so you can see how those projects faired. These services will also simulate sales to ensure the project is not a honeypot. If the project is still in presale, however, they can throw some false positives.

• Another contract scanning service is Rugscreen. It’s more comprehensive than the other two, but costs a few dollars worth of BNB to run.

• Check the contract and website on ChainAbuse to see if they are connected to any known fraudulent activity.

• For NFT projects, use a tool like Bonkalytics to look at the number of unique minters, total minted, whale mints, total volume, and other useful metrics. Be cautious of projects with a large amount minted by relatively few wallets, as it could be a sign of wash trading or other market manipulation.

• On a block explorer, go to the wallet that created the contract to see where their funds came from, and if they have created any other contracts (be sure to check all chains the wallet is active on). If they have, spend some time looking into those projects as well, at least to see if any were rugged or abandoned.

• Spend time on the website reading everything, and clicking all the links. If there are a lot of spelling or grammatical errors, broken links, non-functioning buttons, or other indications that minimal time has been put into developing the site, that’s a big warning sign. If the contract, roadmap, and whitepaper are not readily accessible on the site (or non-existent), that’s another warning sign. Generally speaking, the less effort that was put into the project as a whole, the bigger the red flag.

• Do an ICANN lookup on the website to see when it was created. Compare this to when a presale was listed, marketing on social media began, etc. Scam projects tend to be a quick flash in the pan - everything happens all at once, usually, within a week or two. Good projects take time to build.

• Take a look at the roadmap, and decide if the milestones, deliverables, and timetables listed seem reasonable, especially given what you know about the team. Scam and pump & dump projects thrive on hype, and that’s often reflected in outlandish roadmaps. Similarly, carefully consider what the project currently has built and deployed, versus what they are promising will come sometime in the future. If the entire value proposition of a project is built on what they say is coming, not what already exists, that’s a warning sign.

• Give equal, if not more scrutiny to the whitepaper. Is it just repeating what’s on the website, or is it going into more detail? Google their mission statement (in quotes) or other generic-sounding parts of the whitepaper to see if they have been copied from other projects. Make sure the tokenomics and project details covered in the whitepaper match what is presented on the website and socials.

• Be aware of the tokenomics, especially buy and sell taxes, and how they would impact the break-even point of your investment. For example:

  • If a project has a 10% buy and sell tax, putting in $1k would get you $900 worth of tokens.

  • You would need to sell $1111 worth of tokens to end up with $1k back in your wallet after the sell tax is taken out (1111 - (0.1 * 1111) = 1000).

  • This means your initial $900 worth of tokens would have to increase in value to $1111 (a ~24% increase) just to break even.

  • A project with 5% buy/sell tax would need ~11% price increase to break even, and a 15% buy/sell tax would take ~38% price increase.

• If the token offers staking, what is the Total Value Locked (TVL) percentage? A low percent may indicate holders are not interested in governance or longevity, and will instead sell when the price rises to their target. Conversely, a high TVL percent can indicate strong community faith in the project.

• Be sure to verify all claims of contract audits and liquidity locks. If an audit has been done, read the report in full. If liquidity has been locked, find out what percentage of the total liquidity it is, how long it’s locked for, and what the team will do with the liquidity once it unlocks.

• On a block explorer, check what percentage of tokens the largest wallet holders have. If one wallet owns 10% or more of the total circulating supply, they could cause a significant price drop if they sold all at once. Keep in mind, the block explorer will show the percent of total tokens owned, not circulating tokens. So, if 50% of the circulating supply has been burned, then the actual percentage owned by each wallet will be double what is shown.

Community and Social Media

No project can moon without everyone in the community helping to gas up the rocket. Communities can make or break a project, so you want to make sure you know as much about them as possible.

• Check a project’s Twitter account on SparkToro and TwitterAudit to get an idea of how many fake, botted, or inactive followers they have. If the account has used giveaways to gain followers, chances are they will have a lot. Followers gained by giveaways do not mean followers that are invested (or even interested) in the project.

• Compare the number of followers or subscribers on each of the social media channels. Generally, Twitter and Telegram will be about equal, and Discord will be slightly lower. If there is a large discrepancy between platforms - say, if Telegram has 7k more followers than Twitter - it could indicate they artificially inflated their followers with fake accounts.

• Do their Telegram and Discord channels have any helper bots set up (Rose, MEE6, WickBot, etc), or is moderating and sending official links completely manual? As with the roadmap, whitepaper, and website, the less effort that is put into a project, the bigger the red flag.

• Spend some time chatting on each of the platforms. Are there active conversations from a large number of members, or just a regular stream of “wen lambo” memes? What how much engagement do tweets from the official account get? How active are the devs and core team on each of the socials? Are questions about the project answered, mocked, or ignored? Do community members seem genuinely excited about the project and supportive of the core team?

• Search account handles and project-related hashtags on Twitter, and get an idea of what people are saying about it. Is there a lot of organic chatter from a bunch of different accounts, or are there only a few cheerleaders/influencers driving everything? What’s the overall sentiment when people talk about the project? Look at comments under tweets from the main account, as they are often from holders. Are they supportive of the project and team, or angry?

The Takeaway

With few exceptions, no one source or piece of information will give you the full picture of a project and its team. Instead, you must piece together a mosaic using a wide variety of information, both qualitative and quantitative, and make your assessment from there based on your own risk tolerance. As a general rule of thumb, the amount of time you spend researching a project should be proportional to the amount of money you plan to invest in it.

Have a question, comment, tip, inside info, or anything else? Email KnowYourCrook@ProtonMail.com

Bottom Line Up Front

After replying to or quote-tweeting a popular Twitter account, you get a reply from someone impersonating them asking you to send a DM. If you do, there will usually be a short exchange about whether you invest in crypto, and if so, what projects and how much. This is followed by a claim that they can make you some quick money, and directions to join an exchange or investment site. These sites are honeypots - you can deposit crypto into them, but cannot take funds out. If you do make a deposit, the scammer will sometimes try to press for you to send additional funds to cover supposed trading fees or taxes.

Overview

Shortly after responding to a popular account you follow, you get a reply seemingly from the that account asking you to DM them. Most popular accounts often say they will never DM you first, so on the surface this may seem reasonable. Of course, if you look carefully at the name and follower count of the person replying to you, more often than not you’ll see it’s an impersonator trying to get you into a private conversation.

This approach to launching a scam uses two common tactics: it borrows credibility from the popular account you were responding two, and it tries to make it seem as though you initiated the conversation by having you DM them first. Though the ultimate grift will change from person to person, they usually involve you creating an account and depositing crypto into some site they send you, similar to the ‘new exchange giveaway’ scams that are common on Discord. Here’s how one played out in my DMs earlier today.

The Approach

After making some offhanded reply to @CryptoFinally on Twitter (a frequent target of impersonators), I received this:

Never wanting to pass up an opportunity to learn about the latest fraud trends first hand, I did as requested and sent them a DM:

She didn’t waste any time getting down to business, first asking about what I hold, then saying she has a few 20x gems she wants to pass along. The point of asking what I hold is simple: she wants to know if I have funds readily available to steal. If I said I didn’t, she’d have either moved on to someone else, or changed to a different scam that involved sending fiat. But, I had some crypto handy, and it’s hard to turn down a quick 20x, so I pressed on:

A project not being listed on Binance is reasonable enough - it takes a lot to be listed there, and most BSC projects never make it.

Now, I asked if the exchange was new as a sort of checksum on how honest or dishonest the scammer was willing to be with me. An ICANN lookup on the domain name will tell me exactly when it was registered:

In this case, it was made just over a week ago. Some scammers like this one go for quick hits - make contact with their mark, direct the to the fraudulent site, and move on - but others play a longer confidence game that will draw the conversation out over several days or weeks. In those cases, it can be useful to know if they are mixing in some truth with their lies. While I wanted for her answer, I went ahead and made an account on the exchange:

As usual, security is not an issue with sites like this, and my account was made right away!

Looking at the coin offerings, there were only about a dozen of the most popular tokens listed, so I was really curious to learn what these supposed 20x gems would be. Unfortunately, it wouldn’t be that easy:

Apparently, I would only find out what I was supposed to buy via email, once I deposited BTC or ETH into my account. Since I’m not willing to send even a dollar to a scammer to see how things would play out next, I respectfully ended the conversation by thanking them for the training materials, and went about my day.

Name Spoofing

There are some common tricks scammers will use to make their username look as close as possible to the one they’re impersonating:

• Adding underscores to the name, or using two underscores instead of one → @Coffeebreak_YT vs @Coffeebreak__YT

• Using a lowercase ‘L” and an uppercase “I” interchangeably → Coffeezilla vs CoffeeziIIa

• Using ‘r n’ together in place of a lowercase ‘m’ → Bitmart vs Bitrnart

• Using the number ‘0’ and an uppercase ‘O’ interchangeably → Official vs 0fficial

• Using one or two ‘v’s in place of a ‘w’ → Brewlabs vs Brevvlabs or Brevlabs

You get the idea. If you’re looking quickly, and especially if you’re on a small mobile screen, it can be easy to mistake a spoofed name for a real one. Then there are the more insidious spoofs that use alt and Cyrillic characters as substitutes, which look identical to their real counterparts:

Full thread here.

Much like the I/l switching, there are no visual clues that something is off. So, how can you protect yourself if you receive a DM from an account that looks legit?

• If it looks like a mod/dev on a platform like Discord or Slack DMed you, tag them in a public channel and ask if it’s really them.

• If it’s on a social media platform, look at how many followers the account has, and compare that with the real account.

• Copy the username into a text editor, and change all letters to uppercase (in Word, Shift+f3 will cycle through upper, lower, and capital case). This will help you spot most letter/number switches.

• Enter the username into a browser address bar, and add “.test” to the end (without quotes). Your browser will decode any alt/Cyrillic characters in it.

  • L○○ksRare.test → xn--lksrare-hm6da.test

• If it is a URL, manually type the address into your browser, rather than clicking a link or copy/pasting.

• Enter the username into a Cyrillic decoder and check the output:

The Takeaway

Any time you receive a reply or DM that looks like it’s from a popular account, always double check the @ name and follower count before engaging. On phone push notifications, you’ll only see the display name and PFP, both of which might be identical to the real account. If at any point you are directed to deposit funds into a new or unknown exchange (or other investment-related site), it’s most likely a honeypot, and the funds will be unrecoverable. So, you know, don’t do it.

Have a question, comment, tip, inside info, or anything else? Email KnowYourCrook@ProtonMail.com

The security provided by measures such as audited contracts, locked liquidity, and doxed/KYCed teams is often overstated by projects, and misunderstood by investors. Every measure has its strengths and limitations, as well as workarounds that can be exploited by bad actors. Knowing and understanding these will help you better assess the relative risk of a project before investing.

Overview

Above and beyond anything else, a project’s team needs to inspire trust in the project itself. Even if people don’t necessarily trust the team (say, if they are anonymous), they have to at least trust the safeguards put in place around the project. Third party audits and code reviews, liquidity locks, and other such measures are common safeguards used to build trust, but how much security do these actually provide?

Below, I’ll cover the five most common security measures projects use today: doxing/KYCing the team; contract audits; liquidity locking; renouncing contract ownership; and using multi-sig dev wallets. For each, I’ll talk about what they guard against, what they don’t guard against, and how they could potentially be circumvented or exploited.

Team KYC and/or Doxing

Doxing is where the devs behind a project either fully (full name and bio) or partially (just face and voice, first name only, etc) reveal their identities. There are also KYC services that verify the identities of the team privately, and issue a voucher saying that it’s been done. This allows devs to remain anonymous to investors but still show proof that someone knows who they are.

The Good: Knowing who the devs are lets you research their experience, and any past projects they may have been a part of. Being fully (publicly) doxed also means the team’s reputation is on the line, so they’ll probably want the project to be a success.

The Bad: Crypto is still completely unregulated in most countries, so there is little to no legal accountability for bad actions. Whether the devs are skimming funds from a project wallet or do a hard rug pull, the only likely repercussions will be having a bad reputation.

The Ugly: First, private KYC services are all but useless. If a project turns out to be a scam, the company likely isn’t going to release the identity of the devs to the public (though some claim they will, if the project is a clear scam). Second, fake names, backed by fake Linkedin profiles are not uncommon. Profile pictures could be fake as well. I have even seen projects go as far as to hire an actor on Fiverr to record a short video pretending to be the lead dev. Being “fully doxed” doesn’t always mean they’re actually doxed.

Audited Contracts

Third party services like CertiK and Solidproof will scan the smart contract of a project for any coding issues or malicious functions, such as ones that would prevent selling, or allow unlimited minting of tokens.

The Good: Most people are not programmers, so having a trusted third party review the smart contract for anything malicious or unstable is a great service. Passing an audit is usually a good indication that a new project will not exit-scam shortly after launch, and that the contract contains no critical vulnerabilities.

The Bad: Receiving an audit, passing an audit, and making all the recommended changes in the audit are three different things. Though a project has been audited, it doesn’t mean they have addressed any flagged vulnerabilities. Always read through the audit yourself to understand the project better.

The Ugly: An audit tells you what is in the contract, but it does not prevent what’s in the contract from being used or abused. Some functions, such as the ability to change taxes or mint tokens, are reasonable to have under certain circumstances. But, they require a lot of trust in the dev team to not abuse them. An audit will flag these functions:

And the dev team may give reasons for having the functions:

But in the end, there is nothing actually preventing something like this from happening:

Right after launch, the lead dev started minting and selling trillions of tokens, effectively draining the liquidity from the project.

Fun fact: the BASH Protocol team was doxed and KYCed, too:

Locked Liquidity

This means ownership of the liquidity pool for a token has been renounced for a set amount of time. Ownership is usually transferred to a third party smart contract, such as DxLock.

The Good: Locking liquidity prevents the team from withdrawing the pool of funds on which their token is traded. Assuming the liquidity pool is regularly funded, usually from a portion of transaction taxes, this helps ensure investors can always buy and sell tokens without issue.

The Bad: Liquidity is locked for a set period of time, after which the team will have full access to the funds. Ideally, this lock period is for a year or more, but that’s not mandatory. Projects can lock their liquidity for a single day or week if they want. It’s important to know how long funds are locked for, and what the team plans to do once they unlock.

The Ugly: First, see the example from BASH protocol above. Their liquidity was locked, but by minting and selling tokens, they were able to effectively drain the liquidity pool anyway. Second, let’s say liquidity is locked for six months, but the project is a honeypot (that is, you can buy tokens but can’t sell them). The team will be able to cash out on the project all the same, they’ll just have to wait until the liquidity unlocks.

Renounced Ownership

Every smart contract has an associated wallet which has the ability to call its functions. Similar to locking liquidity, renouncing ownership means transferring control over the smart contract to a third party wallet, usually a dead wallet that nobody has access to, effectively making the contract fully autonomous.

The Good: Renouncing ownership means the various parameters of a contract, like transaction taxes and the ability to mint tokens, cannot be changed or abused by the devs, essentially making the project trustless (that is, security is not based on trusting devs to act morally).

The Bad: While renouncing ownership prevents devs from further manipulating functions in the contract, if parameters are maliciously set prior to renouncing, then the damage is already done. Additionally, contracts typically only dictate where funds are allocated from transactions, but not who has access to those funds - so, devs might not be able to change the transaction tax, but they have unrestricted access to the funds that are being generated.

The Ugly: Through some coding slight of hand, ownership can be renounced and then regained, or critical functions can give specific wallets hard-coded access (essentially, the contract will say if you want to call a function, you either have to be the owner OR this specific wallet that the dev controls). To complicate things further, a smart contract can call another contract to execute functions. The main smart contract might have its ownership renounced, but the other contracts it calls to do things do not.

Multi-Sig Wallets

Typically speaking, to transfer funds out from a wallet, only one person needs to approve the transaction - its owner. On multi-sig wallets, several people have to approve a transaction to have it execute. Most commonly, signers will be a majority of a diverse group of people (five of six people, eight of ten people, etc).

The Good: Multi-sig wallets, especially when the signers consist of both dev team and community members, helps to ensure any and all transactions represent the best interests of both devs and investors. Additionally, it prevents any single person from going rogue and draining funds from a project wallet.

The Bad: Most projects have multiple wallets associated with it, and more often than not only the main dev wallet will be multi-sig. If the dev wallet has this kind of enhanced security, but the marketing, buyback, and investment wallets don’t, then there really isn’t much value added.

The Ugly: If you need four of five core team signatures to approve a transaction, and the entire core team is in on a grift, then the scam-related transactions will always be approved. Similarly, if any majority of signers, dev team or community,  are in on the grift, then everything will be approved without issue. Even if a required signer from the community is not read in to a scam, if they are presented with dozens of transactions a day they are likely to approve each one without question, based solely on their trust in the devs to be doing the right thing.

The Takeaway

No matter what security measures are in place, risk can only be reduced, never eliminated. When researching a project, carefully consider what is actually protected by these measures, and what is left to trust in the project’s team. For example, if a portion of every transaction is set aside for marketing or buybacks, what wallet are those funds held in, and who has access to them? If the liquidity is locked, what is the plan for when it unlocks? If the team is anonymous, how have they proven that they have the knowledge and experience to successfully launch and grow a crypto project?

Essentially, after security measures are considered, do you trust the team with the control that they have left?

Have a question, comment, tip, inside info, or anything else? Email KnowYourCrook@ProtonMail.com

If you receive a random DM from someone you don’t know, congratulating you on winning a giveaway you never entered, from a crypto exchange you’ve never heard of, it’s a scam. If you follow their prompts, create an account on the exchange and enter the given promo code, it will appear as though the funds you “won” are in your account. However, you can’t withdraw or trade them until you “verify your wallet”  by depositing a decent amount of BTC. This will, unsurprisingly, result in a loss of funds.

Overview

Unsolicited DMs on Discord, Telegram, and Twitter are a common occurrence if you do not have your privacy settings adjusted to disallow them. I like to leave mine open, however, to catch gems like this. A random account reached out to me with good news: I had won a giveaway from their new exchange!

Apparently, I won about $18k worth of Bitcoin, and all I had to do was make an account on their new exchange, and enter the promo code I was sent. Well, why not, right? It’s hard to turn down free money. So, (behind a VPN and with a sandboxed browser) I clicked through to their exchange to begin the process of claiming my winnings.

Things started off like you’d expect, with the site asking for an email and password to create my account. Security measures were minimal, as they had no problem with my email being a@a.com, and password being 12345:

After that, I just had to enter the promo code I was sent for winning their giveaway, and I was in the money:

But, when I tried to transfer the BTC I had won off the exchange, I was hit with this:

Ahh, there it is: the ask.

In order to withdraw or trade the BTC I had “won” on their exchange, I have to first verify my wallet by making a minimum deposit worth a few hundred dollars. Unsurprisingly, if I had done so, the promised funds would not have been unlocked, and the amount I transferred would have been lost.

Generally speaking, scammers only have three goals, the most important of which is tricking you into sending them money. For all the window dressing around this particular scam, the ultimate premise is simple: send us money, and we’ll send you more in return. Usually, this type of scam is more blunt:

But sometimes, scammers take the time and effort to dress things up a bit more. But, that doesn’t make things any more legit.

The Takeaway

If you get a DM, reply, or notification saying you won a giveaway that you never entered, it’s probably a scam.

If you ever, under any circumstances are asked to send money in order to receive money, it’s a scam.

Any time you receive an unsolicited DM or reply with seemingly good news, proceed with extreme caution, because chances are nothing good will come of it.

Have a question, comment, tip, inside info, or anything else? Email KnowYourCrook@ProtonMail.com

Rebasing projects promising 6-7 digit APYs require a constant flow of new money buying in to cover for when old money sells. High buy and sell taxes help ensure new investors hold for at least several weeks to avoid selling at a loss, which increases their risk exposure to price fluctuations. While it is certainly possible to turn a profit investing in such projects, it is not likely to happen from APY returns alone. Always do the math, and understand your breakpoints and risk exposure before investing.

Overview

Ponzi Scheme (noun) - an investment fraud that pays existing investors with funds collected from new investors, rather than revenue earned from legitimate business ventures. That is, when early investors want to sell, it’s money from new investors that’s paying them. When this concept is baked into the tokenomics of a crypto project, the results can look too good to be true. I’m going to use SAFUU as an example here, but the same principles apply to any such project:

That’s right, invest just $1k now, let compound interest work its magic, and in one year you’ll be a multi-millionaire! In a strictly mathematical sense, this is actually true. But, it relies heavily on a number of assumptions.

The Assumptions

The first assumption, as SAFUU kindly states in their fine print, is that the APY remains static for the year. There are many reasons why an APY may be lowered, usually related to scaling issues as new investors join the project. More holders means more emissions being paid out at each rebase, which can quickly become unsustainable for the treasury.

The next assumption, which goes unmentioned, is that the price would have to remain static as well. The vast majority of crypto projects don’t last a year before being abandoned and seeing a 99%+ drop in price. Maybe SAFUU (or another like it) will be the rare exception, but the odds are against it. That said, the price could always go up, right? Absolutely! But the rise would need to be more than the sell tax, which I’ve seen as high as 25%, and you’d have to be quick to catch it - the majority of projects have one good pump to all time high, then rapidly fall from there.

The third major assumption relates to the heart of why I call these ponzinomic projects: the treasury (and insurance fund, in some projects like SAFUU) help ensure price stability and project sustainability:

These two pools of money are funded by the buy and sell taxes:

The assumption then is that there will be a sufficient flow of buys and sells to maintain the treasury and insurance fund. As the number of holders increases, the amount being paid out at each rebase will increase as well, meaning the volume of trades will have to increase along with it to maintain equilibrium. If a majority of people opt for the “invest $1k to become a multi-millionaire in a year” approach, this means constantly attracting new buyers. If the hype dies down, volume drops, and growth slows, then other measures like lowering the APY will have to be taken, else the project will simply implode as soon as people start selling off.

This is not to say that every project of this type is a pure scam. It is certainly possible to turn a profit in them, especially if you are one of their earliest investors. Knowing and understanding a few key breakpoints can help better inform your investment strategy, and increase your chances of staying in the black.

Break Even and 2x Breakpoints

Two common milestones in any investment are when you break even, and when you have doubled your initial investment. So, let’s use the APY calculator on SAFUU’s website to see when these would happen. We’ll start with a $1k investment, and assume that price and APY will remain fixed:

So, 6.43 tokens at $155.73 each gives you your $1k initial investment. But wait, what about that 14% tax on buys? That’s not being reflected in their calculator, and I doubt the omission was accidental. Here’s what a $1k initial investment would actually look like:

You’d have 5.53 tokens, or around $860 worth. Now, taking into account the 16% sell tax, you would have to accrue about $1190 worth of tokens to break even, should you decide to sell everything and walk away. According to their calculator, that would take about two weeks:

Again, this is assuming that the price and APY remained fixed. So, how long would it take to double your investment? Let’s say you wanted to pull your principal investment ($1k), and keep an equal amount in SAFUU to let it ride. You would have to accrue $2190 worth of tokens to do so, and it would take right around 42 days:

So, if you just buy and hold as the conventional (3,3) wisdom suggests for these kinds of projects, you’re looking at 14 days to break even, and 42 days before you double your initial investment (assuming you’re only pulling half, and letting the other half ride). AND AGAIN, THIS IS ASSUMING THE PRICE STAYS THE SAME THE ENTIRE TIME.

The Takeaway

Any project offering a 6-7 digit APY relies on a constant flow of transactions to maintain their treasury and insurance pools. High buy and sell taxes help ensure buyers will hold their bags for at least a few weeks, short of any major price spike, to avoid selling them at a loss. While it is certainly possible to make money investing in these projects, especially for the earliest investors, buyers should carefully consider the tokenomics and revenue streams of the project before jumping in. If transaction taxes are the only source of revenue for a project like these, do not expect them to maintain a high token value and APY for very long.

Have a question, comment, tip, inside info, or anything else? Email KnowYourCrook@ProtonMail.com

For all the myriad ways a scam can be dressed up and presented - from simple Nigerian Prince emails to complex investor schemes - the vast majority of them are ultimately designed to achieve only one of three goals: trick you into sending them money; trick you into sending them enough information for them to take your money; or trick you into giving them login credentials to online accounts. Knowing and understanding these goals makes it significantly easier to identify scams, and avoid falling victim to them.

Overview

For as long as money has existed in any form, there have been people trying to obtain it dishonestly. Even in ancient Greek times, there are records of tax collectors weighing household grain to be taxed on rigged scales, fooling families into overpaying taxes, the excess of which went into the collectors pocket. As financial systems have grown and evolved over the centuries, so too have the methods and techniques used by scammers to exploit those systems. It should come as no surprise, then, that the rise in popularity of cryptocurrencies and DeFi have led to a massive rise in fraud and financial crime.

Last year, consumers lost an estimated $5.8 billion USD to fraud, not including additional losses from identity theft. Crypto and DeFi investors fared significantly worse, losing an estimated $14 billion USD to various fraud schemes. Losses in both categories rose nearly 70% from the previous year, highlighting the speed of innovation among scammers. So, what can you do to protect yourself from falling victim to what is essentially a $21 billion industry? Start by understanding what scammers want.

Three Objectives of a Scam

For all of the different ways a scam can be presented, and for all of the different attack vectors a scammer can use, with very few exceptions they will have only one of three objectives:

1. Trick you into sending them money

2. Trick you into sending them enough information that they can take your money

3. Trick you into sending them credentials to your online accounts, especially email and social media accounts

The core objective in each of these, and even in the rare exceptions, is clear: to trick you into giving them money, or information (including usernames, passwords, and seed phrases) that they can ultimately monetize. While these goals may seem obvious, scammers often do a good job of burying their objectives within compelling narratives. Let’s explore some examples.

Send Me Money

This goal is pretty straight forward: the scammer, through one means or another, wants you to send them money. Sometimes, the ask is pretty blunt (despite the source - more on that later):

Other times, things are a bit more subtle:

These are text messages from a scammer I was leading on. He had slid into my DMs saying that he wanted to help me out financially. His offer was an interesting one: he’d send me his bank account information, from which I was supposed to withdraw enough money to pay off my (supposed) credit card debt, plus an additional amount to donate to a few charities he recommended. On the surface, this seemed to flip the usual script. After all, he was giving me money first, right? Well, not exactly.

The bank account info he sent was for a small carpentry business in Oregon. I reached out to the business shortly after receiving the texts, and they (unsurprisingly) had no knowledge of any charitable outreach by the owner. So, what was happening?

As it turns out, the bank account information for this small company had been somehow stolen by the scammer. Rather than draining funds himself, he decided to try to get someone else to do it for him. The scammer wanted me to drain funds from the bank account, use some on myself, and send the remainder to him via his “recommended charities”. If I did so and a criminal investigation was launched, I would be the one on the hook for theft and wire fraud, while the scammer would be long gone.

Despite all the hoops and altruistic narratives baked into this scam, at its core the goal was simple: trick the victim into sending the scammer money. Everything else was icing on the cake.

Send Me Info So I Can Take Your Money

Ok Twitter users, time for a little experiment. Regardless of how many or few followers you have, send a tweet with the words “Metamask” and/or “Trustwallet” in it, and see who replies. No need to hashtag anything or @ any accounts, just a plain text tweet will suffice. Chances are, within a few seconds of sending the tweet, you’ll have numerous responses that look like this:

A slew of helpful people and seemingly official accounts sympathizing with your troubles, and urging you to put in a ticket with their “support teams”. So, what do these help tickets look like? For the most part, it’s exactly what you’d expect:

A form asking for an email address to contact you at, type of issue you’re having, and so forth. They even have official looking Metamask branding and language. But, once you get to the bottom of the form:

Ahh, there it is: “Enter the (12 or 24) seed words linked to the affected Metamask wallet”. The request is immediately followed by an assurance that the form is “secured by a Metamask encrypted cloud bot”, whatever that word salad is supposed to mean.

In the crypto world, seed phrases are the keys to the kingdom. With a seed phrase, a person has unlimited access to your wallet, and can transfer any and all funds out of your wallet with impunity. Giving someone the seed phrase to your wallet is equivalent to giving a person your house keys, car keys, drivers license, debit card, social security card, and passport all at once. That is to say, NEVER DO IT.

Outside of the crypto world, few things are as critically vulnerable to exploitation as a wallet’s seed phrase. But, there are other common pieces of information that scammers will target, including bank account information, social security numbers, and account passwords. Generally speaking, unless you are on a verifiably official website, never, under any circumstances, enter or share any sensitive information. If you receive an email or DM about some critical issue with your account (whatever account that may be), open a browser and navigate to the site yourself, rather than following a link in the message you received.

Let Me In To Your Account

This third goal is more of a supporting function to the first two. By gaining access to your email and social media accounts, a scammer can not only increase the reach of their scams, but improve the credibility of their delivery, which makes them more likely to succeed. Let me explain.

If I was a scammer, and I wanted to fire off a scam pitch to as many people as possible, I might randomly generate or pick a few thousand email addresses and social media account names to send my pitch to, and hope for the best. Basically, cast a wide net, and see what I catch. But, anyone that receives my message would have no clue who I was, and chances are my message would be scoped up by a slew of spam filters and therefore never be seen. So, how could I get around all that?

Well, one common way is to borrow credibility from someone else.

Imagine if a scammer gained access to your Twitter or email account. A random DM asking for money from a completely unknown person would more than likely be ignored, but if it was a DM from a close friend, or someone you follow? Well then, you might be more inclined to help them out.

Scammers prey on this implicit trust, and exploit compromised accounts to target their contacts and followers. This is also why popular social media accounts, especially unverified ones, often have dozens of impersonators:

The Takeaway

After all is said and done, scammers want your money, and if you don’t give it to them directly they’ll find some other way to take it. Everything else is smoke and mirrors. Knowing and understanding this is your first line of defense. If a situation seems even the slightest bit off, ask yourself two simple questions:

1. Who started the conversation: Did they email/DM/reply to me, or did I reach out first?

2. Are they asking me to send money somewhere, or for any information that they could use to access my money?

If you were not the one to initiate things, be very cautious with any information you provide, or any links you are sent. Always keep potential motives in mind, and you’ll be ahead of the game.

Have a question, comment, tip, inside info, or anything else? Email KnowYourCrook@ProtonMail.com