No police to call, no customer support to complain to. Read on to understand why OpSec is *so* important in crypto.
Interested? Scroll to the end of the article for more details!
It was a regular day (Wednesday 15th Sept), I've just came home from a night out with my girlfriend. Bathed and fresh, I checked twitter for any interesting content to read. Meanwhile, I also checked my discord; something popped up.
For context: Star Atlas is a blockchain game based in space. Take a look at the trailer; its release is highly anticipated in the crypto gaming community. (Spacebois might enjoy this 🌌). Game items are being released as NFTs, with the current release for their spaceships.
Discord groups (or telegram) are the main way crypto project teams interact with their community, with key information and announcements broadcasted there.
Looking at the Star Atlas notification, the words "You Spoke, we listened!" caught my eye. Ever since they started releasing their spaceships for sale, bots always snap up valuable ships and they often appear on the secondary market for a mark-up. I felt priced out.
This time, the message felt like I was getting rewarded. Without thinking, I clicked on the link. Note that the website above was in a domain (.art), whereas the real one was in another domain (.com). #firstwarningflag
It will be like winning the lottery; these ships were going for 10k to 30k USD a pop.
Again, without hesitating, I clicked the button "Claim airdrop". After all, it's just 0.1 SOL. What's the worse that could happen, right...?
In crypto, you are responsible for making the transaction. Simply put, you need to sign off on the transaction. Some dapps provide an option to auto-approve transactions. Of course, one would only do that if they completely trust the website. I thought my airdrop was legit. So I checked the auto-approved button.
I clicked the link once. Nothing happened. I clicked it multiple times. Nothing happened. Strange, I should have gotten the airdrop by now. Let's check my wallet.
Note: I did not take a screen capture of my wallet that night, but will furnish transaction details below. The below screengrab is taken a few days after.
W.T.F. The amount of Solana tokens I had dropped to 0.26. I had 27 SOL before today. How tf did this happen?
Within seconds, that feeling sinks in. You know, that feeling when you know you screwed up or made a stupid mistake.
Immediately, I check my wallet for past transactions. Could it be just a glitch? Hopefully...
Note: My address is the one blacked out. Transaction 1 shows the transfer of ~99% of my Solana tokens to another wallet.
Transaction 2 (another 99% transfer):
The transactions are already confirmed by the blockchain. The token is gone. The token was priced around $150+, leading to a total loss of around 4k USD.
To reiterate, this chain of events (from seeing the discord message) happened within a 10 minute time frame. In 10 minutes, I lost 4K USD, or 5.38k SGD in today's rates.
10 minutes. ~4K USD gone. I was the bait. I was the catfish. I was scammed. Don't be like me.
Thankfully, it wasn't life-ruining, and the hacker was only able to steal my Solana tokens, and not the rest. I retraced my steps, and I was certain I didn't divulge any confidential info like my seed phrases. My heart felt only slightly better.
This can happen to anyone, but after being in the crypto scene since 2018, I was quite confident of my crypto OpSec (Operational Security). Making such a rookie mistake was particularly dissapointing for me personally.
Hence, in the spirit of sharing, especially with broad-based interest in crypto currencies as part of an average investment portfolio, here are 5 lessons / tips that you should know when doing any sort of crypto activity.
Some of these tips are not related to the scam above, but would go a long way in you securing ownership of your own crypto.
1) DO NOT GIVE ANYONE YOUR PRIVATE KEYS OR SEED PHRASES
This is something you will see repeated throughout your crypto life. It's the most important aspect of OpSec as ONLY YOU (who created the wallet) has the private keys / seed phrases. ANYONE, and I mean ANYONE, can move funds in and out of your wallet if they have your private key.
Any crypto user worth their sats (ha) will tell you that there is absolutely no reason to divulge your private keys / seed phrases. DO. NOT. GIVE. ANYONE. YOUR PRIVATE KEYS. (Except in cases of life or death obviously).
2) Exchanges-related tips (e.g., Coinhako, Gemini, Binance)
Many investors probably don't have a wallet outside of the exchange where they buy crypto from. While not ideal (hardware wallets are best), there are measures one can take to prevent unauthorised access to your exchange account.
a) 2FA: 2-factor authentication. It's important to note the difference between SMS authentication vs those via apps (such as Google Authenticator or Authy). SMS authentication is vulnerable to SIM swap attacks. See here for a comprehensive overview.
b) Yubikey: For more established exchanges, they often allow the use of a physical key to prove authentication. This requires you to physically touch your key (as 2FA) to login. The hacker, even if they had stolen your phone, would be unable to transfer funds out as they would also need to physical key.
Always default to using a hardware wallet where possible. Exchanges can suffer from hacks too, and if the funds stolen are large enough, they may not be able to pay back their users. Not your keys, not your coins. In this case, the exchange owns the wallet, not you. What if they decide to just lock your wallet and not give you your tokens?
If you're actively using desktop wallets for crypto activities, consider diversifying your funds into multiple wallets.
4) Assume all DMs are scams
Almost all crypto project teams communicate with their community via Telegram or Discord. It's an effective approach because it doesn't require your phone number and users from all around the world can mingle together.
It also allows anyone from anywhere to message you via Direct Messages (DMs).
Never trust anybody that DMs you first. Most project teams have their usernames ending with "(won't DM you first)" for that reason. The only people that will DM you are users after your money. If there's a link, NEVER PRESS THE LINK. It is most likely a scam (like the discord DM that led to this scam).
5) Know your block explorer
Part of being doing savvy requires knowledge of transactions and how to read them. Since it's a public ledger, there are explorers to parse all the blockchain information, making them readable for the average user. Here's a complete guide on how to use those sites.
There's a lot of self-custody in crypto, hence since you're willing to venture out to explore other crypto activity (like DeFi), you should at least check whether the address you're sending tokens to are the same as what is displayed in the transaction info you're about to sign off on. A simple example here.
Thanks for reading thus far. A vibe check on Seedly tells me that only a few of all crypto investors venture that far out in crypto (most only invest without using it). Nevertheless, I hope you found it useful, especially if you're exploring ways to stretch your coins (by chasing yield).
Interested to invest in Bitcoin, but don't know where to start? Consider signing up for the AMEX credit card (exclusive Seedly & Singsaver deal) to claim up to SGD $365 worth of Bitcoin!
I'm currently partnering with Seedly & Singsaver to help accelerate local adoption of cryptocurrency. It's a movement I feel strongly about. This is perfect for investors who are apprehensive of buying their own crypto themselves, but wish to get some exposure to a strong asset that has proven itself to be a store of value.
Do note that this promotion IS THE SAME as the current #ownthefuture crypto campaign happening right now. Come join the HODL movement 😃
Sign up using the link here, and follow the steps below.
Note: Terms and conditions apply.
SingSaver or Seedly will never ask you for your wallet address nor conduct airdrops. Do reach out to [email protected] for any questions on the campaign.
All my write-ups and twitter threads can be found on my website here.
View 11 other comments