GCR

They promised us a decentralized utopia. Instead, we got scammed.

Crypto scammers took a record US$14 billion in 2021, according to Chainalysis.

And if you’ve wandered down the rabbit-hole that is Web3 – think crypto, NFTs, DAOs, and the ‘metaverse’ – then you’ve likely found yourself joining a number of communities on Discord servers.

Decentralization and Web3 maximalists often speak to the supportive nature of such communities, quick to point out how welcoming they are of ‘normies’, how community members engage in peer learning, and support each other’s work.

True as that might be, the one thing they often fail to flag is the bottomless pit of scammers who typically plague these servers. 

Crypto Discord

Full disclosure: I was recently on the receiving end of a hack that cost me significantly less than I can afford to lose but was large enough to hurt. 

I visited the Discord servers of several communities that were somewhat implicated in the event – OpenSea, The Sandbox, and LooksRare, among others – and asked how this might’ve happened and whether there might be any path of recourse (there isn’t). I was immediately swamped with direct messages from a handful of folks who at first, appear to be good samaritans simply but quickly become uncanny.

First, they are often unverified accounts.

Second, they have no status in these Discord servers (e.g. they aren’t mods, or accredited contributors to the community).

Third, their command of English, and the way they communicate, is suspect.

Forth, and most telling, they will ask you for your public wallet ID and then ask you to do things like ‘validate your wallet’ by entering your secret phrase into a dodgy-looking third-party website. 

Heck, in many communities I’ve joined, I get DMs almost immediately without even asking any questions. 

What these folks are ultimately doing is trying to gain access to your wallet so that they can transfer all of your hard-earned assets to their own wallets, never to be seen again (well, except for on the public blockchain, where you can see the random string of characters that represents the anonymous entity that stole your assets).

“Not Your Keys, Not Your Wallet”

Oh, but wait – don’t say “my crypto was stolen” in front of a Web3 maximalist because they’ll quickly dismiss your grievance and tell you, “not your keys, not your crypto”.

 “You must’ve compromised your wallet, so it’s your fault” you’ll hear. 

Well, the definition of ‘steal’ is to take one’s property without permission or legal right and without intending to return it, so as far as I can tell, stolen is an apt description.

It’s hard to imagine customer service at Wells Fargo snarkingly telling you “not your credit card number, not your money!” after your account has been raided for tens of thousands of dollars. Sure, the infrastructure is different, and funds can often be recovered, if not guaranteed by governments, but the douchebaggery with which crypto-maximalists often treat victims of hacks is simply that.

So much for that supportive community.

There are myriad ways our wallets can become compromised – digital storage of our secret phrase, malware or spyware installed on our machines, falling victim to phishing scams, giving access to questionable dApps, and more. And as the sophistication of attacks gets better, more and more folks will see their assets cleared.

Trust is Paramount to Progress

If Web3 builders are serious about replacing the existing financial system, then this simply won’t do. Trust is paramount, and the moment somebody gets hacked once, the likelihood that they will want to continue investing and playing in the space of Web3 dwindles significantly.

It’s a little like getting cheated on. Relationships often fall apart after trust has been broken. And the same is true of crypto.

And until this is resolved, regulated financial services institutions will always have a much stronger upper hand and will continue to be the dominant players in the finance world (the S&P500’s financial services sector still accounts for over 97% of the United States’ financial services industry, with decentralized finance, or DeFi, representing less than 3%). 

How to Proceed with Caution

But, despite all of this, if you, like me, are still wandering down the Web3 rabbit hole, and are still optimistic about its future, then there are some things you can do to increase your safety, until such time that security improves and/or crypto insurance products come along.

The following is a non-exhaustive list of steps you can take.

1. Turn direct messages off in any Discord server you join
2. Don’t store your secret phrase digitally
3. Store your secret phrase on paper, preferably in a safe – if you want to go to extremes, store half of it in one safe in one location, and the other half in another safe in another location
4. Remember your secret phrase
5. Don’t give anyone your secret phrase
6. Consider storing your assets across several wallets so that if one is attacked, you don’t lose everything. 
7. Store popular assets such as ETH or BTC in regulated and local custodial wallets, such as Coinbase or Coinspot, where your identity is kept, and two-factor authentication (2FA) is in place
8. Transfer assets to a hard wallet such as Ledger or Trezor
9. Run malware, key logger, and spyware scans regularly with reputable software
10. Consider using one computer just for trading
11. If something looks questionable, it probably is – abort!
12. Consider setting up a multi-signature wallet
13. When signing transactions, check the contract ID and make sure it’s representative of the transaction parties. 
14. Check with dApps you’ve given access to at etherscan.io/tokenapprovalchecker
15. Don’t invest more than you can afford to lose

Most of all, proceed with caution. 

While we might’ve normalized the relative security and financial guarantees with which we’ve navigated web2 and gladly entered our credit card details into hundreds of websites over the years, Web3 is still the wild west where the same rules don’t apply. 

Attention: Discord Server Moderators

If you truly care about your community, you should consider?—?if you aren’t already?—?taking the following simple steps to protect their welfare.

1. Vet new members
2. Establish a channel to report scammers
3. Respond to questions in #support fast, otherwise disgruntled folks will seek out support through their DMs (this is especially true of well-funded organizations such as Sandbox and OpenSea who should have 24/7 support)
4. Have stringent verification processes in place
5. Encourage users to turn off DMs for the server after they’ve verified
6. Bait scammers into DMing you, by setting up bogus accounts to publicly declare “my wallet was compromised, please help”

Apple wouldn’t let their customers get scammed in their stores, and neither should you.