What I’ve Learnt From Being Hacked On Web3

I’ve been investing in crypto since 2018. I have a handful of friends that are deep in the space and I learn from them on a weekly basis.

I’d started dabbling in Discord’s Web3 communities a few months ago. I was joining small groups and even started my own with a friend. Arcaya was a space for women currently working in Web2 to meet each other and learn in a jargon-free and friendly environment. We were hosting lives on Discord to teach women how to use the platform and what Web3 even was.

I'd listened to hundreds of podcasts and read dozens of articles. I’d played in Decentraland and Sandbox.

Join us next week for our monthly Web3 meet-up, RSVP and discover all of our Web3, Women in NFT and crypto events.

Most recently, I had decided to take the creative plunge into the space myself and create a collaborative NFT project with some talented friends. It took us months of work, preparation and all our pooled skills and know-how. Plus it was all about love: 22 digital roses for Valentine’s Day 2022. We were midway through a one month auction process and had sold almost half the pieces, through painstaking marketing and sales. We were doing well, as first timers.

I felt excited and optimistic about the space. I was navigating my way around. I knew what I was doing.

One of my deep-in-Web3 friends said he was launching an NFT mint for his new project and if I wanted in, he would add me to the pre-sale list. I didn’t need to do anything, I’d just be added. And that on Tuesday 1st March, at 12:00 the mint would be live.

I checked out the Discord group for his NFT project but it was bigger than any group I had been in before, thousands of people all sending what felt like millions of messages, the amount of information and channels was overwhelming.

I slowly found my way round, learnt a bit more about the project and said yes - I’d like to buy one of his NFTs and support his idea. Why not?

He said not to stress about all the chaos on the Discord and to just check back in at the time of the sale.

12:00, 1st March

I had just landed from LA on a red-eye and had back to back meetings on the hour every hour. As soon as I had a spare five minutes, I jumped into the Discord group. The group, as always, was chaos - full of thousands of messages, I couldn’t work out what was most important.

A DM cut through all the noise of the message boards, and I gravitated to it. It felt like a logical way to get an important message across to everyone and my brain found it easier to process than wading through the channels of chats. It made sense. I clicked the link and it looked as I expected it to. It was streaming their Twitter feed, it showed the pieces being sold on OpenSea: this was it.

I was in a rush, so quickly clicked all the steps to buy one, signed the MetaMask agreement whilst keeping an eye on my incoming emails, and bought the NFT.

12:30

I pinged my friend a message to let him know that I had got one.

“We’re having some issues so they’re not actually live yet”, he replied.

It transpired their Discord had been hacked and a scammer had sent that message out from the founder’s profile. When I started scrolling deeper through the Discord, I saw that dozens of people were in my position but also that we had committed a cardinal sin of Discord and trusted a DM. Discord DM scams are rife, especially around NFT mints, but I had only ever been in small Discord groups and had never received a scam like that before.

I thought to myself: ah, I have lost the money I spent buying what I thought was an NFT. This is a slap on the wrist and a reminder to go slower and always double and triple check. I shouldn’t have rushed. I should have asked my friend before I paid.

Alas, I will learn from this mistake, and all I lost was a bit of money on this fake NFT.

If ONLY that was it…

I checked my MetaMask and all the money I had (about $350) in the wallet was gone.

There is a thing on MetaMask called ‘connected sites’ - dapps and sites that have access to your account. You can have many things connected, some are ‘view only’ in that they only have access to view the information about your wallet, but some have full access so that you can easily move your money in between. I had given something unknown access to my account. I immediately permanently disconnected it from the list…but it was too late.

MetaMask is what’s known as a ‘hot wallet’ and not somewhere you should keep all your money, so I only had the $350. I saw it as carrying cash around - something that, if worse came to worst, wouldn't be a nightmare to lose.

I would learn from this mistake too.

But things got even worse…

23:00

I spent the evening stressed and frazzled about the situation, learning things I wish I had known that morning. I even noticed that people in that NFT Discord were offering to help me, only for me to discover they were ALSO scammers and trying to hack me further. There really is no limit to scamming right now. As humans we default to truth, but in this space I’m learning you have to default to healthy speculation about everything.

I went to bed exhausted and overwhelmed; dizzy from the jetlag and the work and the experience, and then I had a thought: What about the money in my OpenSea?

Remember my NFT project about love? It was in the middle of a one month auction time, selling in Polygon, but was connected to that same MetaMask. Could they?...

No way. It seemed somehow impossible to me - they were totally separate things, or were they?

So I got out of bed, logged into OpenSea, went into my Polygon wallet and sure enough: $0.

Via my MetaMask connected sites they had accessed my OpenSea and taken all the money from my collaborative art project. Thousands of dollars.

How could I break this to the team? I hadn’t imagined this was possible. I was truly devastated.

8:00 2nd March

The following morning I opened Instagram and saw what I had been getting served more and more of recently: reels of women pointing to dates on a screen: ‘2017 I bought my first crypto’, ‘2018 I invested more’ ‘ 2019 I bought a house’... ‘2022 I’m a millionaire’.

It was infuriating. We are being served these unrealistic success stories but not being given nearly enough education around safeguarding ourselves, especially as women in the space.

In those next few days I learnt so much about scams, hacks and things like: you can’t just move your OpenSea Collection to a new wallet - it is inextricably linked to the wallet it was created with, even if that wallet becomes compromised.

Effectively meaning, your project is ruined (I’m sure someone, somewhere is working on a solution for this glaring problem, but the fact it’s the current setup is mind boggling). What started as losing a bit of personal money, turned into destroying an art project people had put time and energy into and others had paid good money to support. And it all happened in about 15 minutes.

Because of blockchain I was able to see the transactions of my money moving from my account to the scammer’s account and then into other accounts but there was nothing I could do about it.

Nowhere I could report it to (I tried everything and looked everywhere). The point of crypto is that you are sovereign, and as regal as that might sound it just means you are in charge of protecting yourself and if something gets taken, it’s because your own walls weren’t high enough and there’s no way to get it back. It’s gone.

I also learnt that people are at different stages of the self-education journey in Web3 and you should both never assume someone knows as much as you, or skip steps yourself.

I felt fortunate to know all these people working so many leagues ahead of me. It was helping me fast-track, jump lines, know niche things, but it also meant I had skipped some vital learning curves.

I didn’t really need to do due diligence on that discord group because I trusted my friend - and my friend in turn assumed that I had done a NFT pre-sale MINT before and knew to watch out for scammers and how they might appear. ‘Assume’ really does make an ‘ass’ out of ‘you’ and ‘me’.

All the things I learnt over the next days and weeks I wish I had known sooner, and it’s a horrible twist of fate that you only learn them after bad things happen, so I wanted to share them with you now so that hopefully, it doesn’t happen to you.

Here are, from what I noticed, the top 3 ways people are currently scamming:

DIRECT MESSAGES

If you’re on Discord, immediately disable your DMs. There are so many scams happening that it’s just best to avoid them entirely. It takes three clicks. Do it now. Even if you think you won’t fall for a scam (like me) someone can catch you right in a moment when you’re rushed or not concentrating or are expecting an update from a channel.

Also beware of anyone you don’t know sending you a friend request.

Also beware of anyone who says they can help you with a scamming issue or help you get money back after a hack. I learnt the hard way that it’s possible they’re trying to scam you further.

Look for official announcements in-server instead, created by the founders or moderators. This will be the only source of accurate information. Spend several days in the channel navigating and reading and triple check and ask around in the channel chat before you pay for anything. The same applies for Instagram, Twitter, Facebook or literally anywhere DMs are possible.

Crypto influencer Lea Thompson has had people create fake versions of her account and message her friends with scams.

AIRDROPPED CONTENT

Scammers will try to simply drop an NFT into your account, often with something like ‘unlockable content’ in the name. To entice you to explore your “gift” which usually has some kind of trick to access your wallet key.

Unfortunately (from my knowledge) you can’t get rid of these. Just don’t even open them and leave them ‘hidden’.

You could also be airdropped tokens - or a small amount of ETH directly into your wallet with an encouragement to click a link to access the rest. Anything that requests your secure key is a scam.

I’ve also heard of more complicated variations where they send you an unknown token - and when you move it to your trading account to exchange it into a currency you know of, they somehow have access via the tokens themselves into your exchange account.

CONNECTED SITES

There are many sites your wallet will need to connect to over time: Etherscan, PolygonScan, OpenSea, collab.land, etc, etc. They will all ask you to sign to grant them access to view your wallet or suggest transactions for you.

This is fine, if the site is real.

The fakes can look exactly the same and pop up an extra question: “to verify connection please enter your secure key” - or something along those lines. This is fake; real connected sites would never ask for this.

The way to always quickly check you’re on the real site is the url. Are you on metamask.io or some dodgy looking url?

You should also practice ‘locking’ your MetaMask - so that when it’s not you logged in nothing can happen, and weekly have a check of your connected sites just to make sure there isn’t anything suspicious in there. Prepare in advance by checking out your wallet’s safety options and guidelines.

My biggest learning from this experience is a big reminder that Web2 is not like Web3 in terms of our attitudes and wired habits.

We need to reprogram the way we are used to behaving online…

1

We’re used to one of our apps needing an upgrade, and just clicked yes-yes-yes-yes to get it up and working as soon as possible. This happened to me last week when I was about to join a Zoom meeting but it said I needed to upgrade - I just wanted to get on the call so I clicked as fast as possible to get myself there.

Never move this fast with new Web3 dapps and protocols. Read it all, understand it all, know what you are signing. It could also be a scam - something pretending to be an upgrade that actually makes you sign away access to your wallet.

2

We’re used to a banking system where if someone does hack your account and steal money, you call your bank and tell them it wasn’t you and they’ll most likely refund you and then protect your account.

In Web3 that responsibility is yours. You are sovereign. Which sounds regal, but actually means there’s nothing anyone else can do for you when your money is gone, and no way to re-secure your account if they have access. You just have to ditch that wallet and make a new one.

This is not something we are used to, which means we can find ourselves being quite relaxed when making payments, we aren’t used to repercussions of losing not just that money, but all our money, and perhaps art in connected sites or even our identity that is tied to that wallet.

This is totally new ground. (The other weird side note is that the compromised account doesn’t get deleted or closed. It just lives on forever. I’m not sure how this works on a sustainability front if billions of accounts forever exist in the ether, but this is a separate problem for another day).

3

If your email is hacked you can usually request to change the email on file to a different one for most of the service providers you use online. To update your Amazon email you just go into settings and request an email change. Because ultimately: you are the person that has the identity, and you can change your email and still exist.

Not in Web3.

Your wallet IS your identity. So if that wallet is connected to, say, OpenSea and you have collections of NFTs there, if your wallet is compromised, you can’t just switch your OpenSea to connect to a new wallet. No. It’s stuck, connected to that wallet and nothing else. So everything you made in that account is compromised, unless you want to pay the gas fees to move your art to a new collection page, tied to a new wallet address. All the current options are messy and expensive.

4

The scams are simply WAY better. This isn’t a poorly written email from a dodgy account asking you for your bank details. These can be exact replicas of entire websites you often use, fake accounts of your friends DMing you…. It’s endless. Don’t have the mindset of “I’m smart, I’m internet savvy, they can’t trick me” like I did.

5

When faced between looking through reams of content in a Discord group, or one simple DM of two sentences, our brains default to the DM. It’s less work. It cuts through. We are used to DMs being much more personal and important than, say, the comments section on someone’s Instagram post. They’re easier to process and somehow have a false intimacy. I fell for this.

Learn from my mistakes. As women, we are used to being locked out of conversations and networks, and Web3 is the same story. It’s on us to educate ourselves around safeguarding and scams like these. Web3 already has women at a disadvantage, let’s not allow ourselves to be susceptible to scams whilst we fight to carve out our own paths within the space.