After a non-fungible token (NFT) selling a cybersecurity exploit and a NFT marketplace getting hacked, another common specter of the cryptocurrency world has taken root in the NFT ecosystem – scams.

According to new research out today from Bolster, a deep learning-powered fraud prevention platform, five areas of scams or frauds are booming along with the NFT bubble. These include replica NFT stores, fake NFT stores, counterfeit or fraud NFTs, fake airdrops and NFT giveaways, and social media scams. 

“Cryptocurrencies and NFTs have attracted the attention of cyber criminals,“ said Bolster CTO and co-founder Shashi Prakash in an email. “Anybody who is participating in these markets must be super vigilant because there are very few protections for people who get scammed.”

The new research from Bolster highlights the explosion in volume and reach of scams alongside NFTs’ rapid rise to prominence. 

For example, replica stores, a well-honed tactic in the world of online fraud, are regularly spun up to look exactly like legitimate websites. Scammers generally try to grab users' login credentials or credit card details. In March, Bolster found the “number of suspicious-looking domain registrations with names of NFT stores like 'rarible', 'opensea', and 'audius' have increased nearly 300%” when compared to previous months, according to a blog post accompanying the research. 

Fake NFT stores are akin to replica ones but don’t rely on proven brand names; rather, they take advantage of the frothy nature of the NFT market generally. Instead of replicating NFT marketplace OpenSea, for example, these fake stores use non-affiliated logos and content to sell non-existent NFTs. 

Before a fake or replica site can be created, a domain has to be registered for it. Bolster identified a rapid rise in suspicious domain registrations using words such as “crypto,” “nft,” “market'' and “trade” from February to March of this year. Domains registered using combinations of these terms increased from 250% to over 300% leading up to March 13. 

Bolster also suggested that given the high-level sale of a Banksy-styled NFT that was unaffiliated with Banksy, counterfeit or fraudulent NFTs should continue to spread, noting increases in suspicious domains such as banksynft[.]com and banksynfts[.]com. 

Another prominent, and perhaps the most damaging, scam tactic involves airdrops, a common marketing strategy used by crypto projects. An airdrop is basically when a project gives away its tokens or coins for free to increase the user base and incentivize people to participate. 

But they are also ripe for imitation. 

“The most damaging scam was the fake giveaways of Rarible tokens,” said Prakash. 

In this giveaway scam involving the NFT marketplace Rarible, visitors to a fake domain were encouraged to send their RARI tokens to a wallet address with the promise they would be sent exponentially more in return as part of a giveaway to encourage cryptocurrency adoption.  

“There is no free money, but people just cannot seem to resist the opportunity to get something for nothing, said Prakash. “This continues to be one of the most common scams for NFTs and cryptocurrencies.”

According to Bolster, the company detects “thousands of these every month.”

Social media scams were the final trend Bolster identified for NFTs. On social media platforms like Telegram and Discord communities for projects congregate and communicate, often sharing information, vetting ideas and communicating updates. 

“On both these channels, scammers set up groups targeting almost all the brands in the crypto space,” read the blog post accompanying the research. “Most of these groups claim to be the 'official support’ or 'official community’ of the targeted brand.”

Prakash said users should be cautious when being sent links to groups such as these, and even a simple search on Google or Twitter can help people suss out what is legit and what isn’t. 

Beyond the basic Google search, there are additional steps people can take to make sure they don't become victims of scammers. 

Prakash recommended doing a reverse image search on an NFT to make sure it is not showing up on other NFT exchanges/markets. He also said to make sure the site from which you’re purchasing is legitimate: Don’t click on links sent by email or social media to get to the site. Finally, use two-factor authentication or physical token generators, or device-based authenticator apps to protect your username and password. 

In the seemingly first NFT heist of its time, users’ accounts on NFT marketplace Nifty Gateway were taken over by a hacker and their NFTs were stolen. None of the accounts compromised had two-factor authentication enabled. 

“People interested in NFTs need to do their diligence and research the apps and services they plan to use,” said Prakash. “Nobody else is doing that for consumers, so the burden really falls on the individual to protect themselves.”