Get Started Wallets Trading Security DeFi Staking NFT Glossary About
Home/NFT/NFT Security

NFT Security Guide

Important 12 minutes 4 steps
0% Complete
NFT Theft Statistics

Over $100 million in NFTs stolen in 2022 alone. Single attacks netted $2.8M (BAYC Instagram), $3.2M (OpenSea phishing), $2.7M (Evolved Apes rug). Even experienced collectors with valuable apes lost everything. This guide covers real attacks and proven prevention.

Major NFT Hacks: What Actually Happened

April 2022: Bored Ape Instagram Hack ($2.8M)

What happened: Hackers gained access to the official Bored Ape Yacht Club Instagram account (141,000 followers). They posted a fake announcement about a "surprise mint" for BAYC holders with a link to "opensae.io" (note the misspelling). The link looked legitimate because it came from the official verified account.

The attack: Users who clicked connected their MetaMask wallets and signed what they thought was a mint transaction. It was actually a "setApprovalForAll" transaction giving the hacker complete control over their NFTs. 4 Bored Apes, 6 Mutant Apes, and other NFTs were drained instantly.

Total loss: $2.8 million in minutes

Lesson: Never trust links, even from official accounts. Social media accounts get hacked. Type URLs directly.

February 2022: OpenSea Phishing ($3.2M)

What happened: OpenSea was upgrading their smart contracts. Scammers sent emails pretending to be from OpenSea, asking users to "migrate" their listings to the new contract. The emails had perfect OpenSea branding and looked completely legitimate.

The attack: Email included a link to a fake OpenSea site. Users who signed the "migration" transaction gave attackers approval to transfer their entire NFT collection. 17 users lost their NFTs including rare CryptoPunks, Bored Apes, and Decentraland land.

Total loss: $3.2 million

Lesson: OpenSea never asks you to sign transactions via email. Ever. No exceptions.

September 2021: Evolved Apes Rug Pull ($2.7M)

What happened: Evolved Apes NFT project sold out 10,000 NFTs at 0.3 ETH each. Developer "Evil Ape" promised a fighting game where holders could battle their apes and earn rewards. Strong marketing, active Discord, looked legitimate.

The scam: One week after sellout, Evil Ape deleted the project website, Twitter, and Discord. Transferred all funds from the treasury to personal wallets and disappeared. No game was ever built. NFTs became worthless.

Total loss: $2.7 million

Lesson: Anonymous team + promises of future utility = high rug risk. Doxxed teams can still rug, but it's harder.

January 2022: Frosties Rug Pull ($1.1M)

What happened: Frosties NFT project sold out in minutes. Within one hour, founders transferred the entire treasury to personal wallets and deleted all social media.

The outcome: Unlike most rugs, the founders were actually caught and arrested. Department of Justice charged them with conspiracy and wire fraud. One of the few rug pulls with criminal consequences.

Total loss: $1.1 million

Lesson: Even if founders get caught, you probably won't get your money back.

February 2022: Blockverse Rug Pull ($500k)

What happened: Blockverse promised a Minecraft-based NFT metaverse. Flashy trailer, active marketing, 10,000 NFT collection. Sold out instantly.

The scam: 24 hours after sellout, the team deleted the website, Twitter, and Discord without warning. No metaverse was ever built. Funds gone.

Total loss: $500,000

Lesson: Slick marketing doesn't mean legitimate project. Many scams have better marketing than real projects.

NFT Scam Statistics 2022-2026

Scam Type Est. Losses 2022 % of Total Scams Still Common 2026?
Phishing websites $45 million 42% Yes, still #1
Rug pulls $28 million 26% Less common
Discord hacks $18 million 17% Yes, frequent
Fake support scams $10 million 9% Yes, daily
Malicious airdrops $6 million 6% Yes, automated
Step 1

Know the Common Scams

Phishing Sites (42% of scams, $45M/year)

Fake websites that look pixel-perfect identical to OpenSea, Blur, etc. When you connect and sign, they drain your wallet instantly.

Real example: "opensae.io" instead of "opensea.io" - one letter different. Cost victims $2.8M in the BAYC Instagram hack.

Prevention:

  • Always type URLs directly or use bookmarks
  • Check EVERY letter of the URL before connecting wallet
  • Never click links from Discord/Twitter DMs/emails
  • Use hardware wallet for valuable NFTs (requires physical confirmation)
  • Check for HTTPS padlock (but scammers have it too)

Malicious Airdrops (6% of scams, $6M/year)

Random NFTs appear in your wallet's "Hidden" section. They look valuable or interesting. If you try to sell, transfer, or even burn them, they execute a drain contract stealing everything in your wallet.

How it works: The NFT's contract has malicious code. When you approve it for transfer (listing on OpenSea), it drains your wallet instead.

Prevention:

  • Never interact with unexpected NFTs in any way
  • Leave them in "Hidden" section forever
  • Don't try to sell, transfer, or burn them
  • Don't be tempted even if they look valuable
  • Use revoke.cash monthly to check approvals

Fake Support (9% of scams, $10M/year)

You post a complaint on Twitter about OpenSea or MetaMask. Within minutes, "Support" accounts DM you offering help. They ask you to verify your wallet or share your seed phrase to "fix the issue."

Real example: Hundreds of users lose NFTs daily to fake support accounts with names like "@OpenseaSupport" (real is @opensea) or "@MetaMask_io" (real is @MetaMask).

Prevention:

  • Real support NEVER DMs first - EVER
  • Real support NEVER needs your seed phrase - NO EXCEPTIONS
  • Turn off DMs from non-followers on Twitter
  • Block and report immediately
  • Real support happens through official support tickets only

Fake Collections (26% of scams through rugs)

Scammers copy popular collection art pixel-for-pixel but deploy under different contract address. List at 50% below floor price to attract buyers.

Real example: Fake Bored Ape collection listed apes at 40 ETH when real floor was 80 ETH. Buyers who didn't verify lost $620,000.

Prevention:

  • Always check blue verification badge (but not foolproof)
  • Verify contract address on Etherscan matches official
  • If price is way below floor, it's probably fake
  • Check project's official Twitter for contract address
  • Look at holder count and volume (fakes have very few)

Discord Server Hacks (17% of scams, $18M/year)

Hackers compromise Discord mod or admin accounts. Post fake mint links in announcements channel. Looks completely legitimate because it's from real admin accounts in the real server.

Real example: Fractal NFT Discord was hacked during their mint. Fake link posted by compromised admin. 373 users connected wallets and lost $150,000 in 30 minutes.

Prevention:

  • Never click mint links from Discord - even from admins
  • Go directly to project website (not from Discord)
  • Check if link is official domain (not shortened URL)
  • Wait 10 minutes after announcement to see if it's deleted (fake announcements get removed quickly)
  • Cross-reference link on project Twitter

Fake Token Offers

You receive an offer on your NFT for 100 ETH when floor is 5 ETH. Sounds great! But the offer is in a worthless token named "ETH" or "WETH" that's not real Ethereum. If you accept, you get worthless tokens and lose your NFT.

Prevention:

  • Only accept offers in real ETH or WETH
  • Check token contract address if unsure
  • Real WETH contract: 0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2
  • If offer seems too good to be true, it's fake
Step 2

Secure Your NFT Wallet

The Multi-Wallet Strategy:

Wallet Use For Security
Burner Wallet New mints, risky sites Only small amounts
Active Wallet Regular trading on trusted sites Moderate amounts
Vault Wallet Valuable NFT storage Never connect anywhere

Hardware Wallet for NFTs:

  • Store valuable NFTs on Ledger/Trezor
  • Transactions require physical button press
  • Immune to most remote attacks
  • Can use with MetaMask for trading
The Vault Strategy

Keep your most valuable NFTs in a wallet that NEVER connects to any website. Only transfer in/out as needed. This eliminates most attack vectors.

Step 3

Verify Everything

Before Buying - Verify:

  1. Blue checkmark on OpenSea/marketplace
  2. Contract address matches official project
  3. Floor price is reasonable (not suspiciously low)
  4. Volume/activity looks legitimate
  5. Official links from project's real Twitter/Discord

Before Connecting - Verify:

  1. URL is correct (every character)
  2. HTTPS padlock is present
  3. Site is official (check on Twitter)
  4. What permissions are being requested

Before Signing - Verify:

  1. What transaction does - read the details
  2. Amount being approved - is it what you expect?
  3. Contract address - is it the right one?
  4. If unsure - DON'T SIGN
"SetApprovalForAll" Warning

If you see "SetApprovalForAll" in a transaction, be VERY careful. This gives complete control over an entire NFT collection to the requester. Only approve for trusted marketplaces.

Step 4

Daily Safe Practices

DO:

  • ✓ Bookmark official sites
  • ✓ Use a hardware wallet for valuable NFTs
  • ✓ Regularly revoke old approvals (revoke.cash)
  • ✓ Keep software updated
  • ✓ Use strong, unique passwords + 2FA
  • ✓ Be paranoid about DMs and links

DON'T:

  • ✗ Click links from DMs/emails
  • ✗ Connect to unknown sites
  • ✗ Rush into "limited time" mints
  • ✗ Share screens while wallet is open
  • ✗ Use public WiFi for transactions
  • ✗ Trust anyone asking for seed phrase
The 10-Second Rule

Before signing ANY transaction, pause for 10 seconds and ask:
- Did I initiate this?
- Do I understand what it does?
- Is the site/contract legitimate?

This simple pause has saved many people from scams.

If You're Compromised:

  1. Don't panic
  2. Create new wallet immediately
  3. Transfer remaining assets to new wallet
  4. Never use compromised wallet again
  5. Report to marketplace if applicable

Advanced Security: What Saved People

Hardware Wallets Stopped Attacks

In the $2.8M BAYC Instagram hack, several users had hardware wallets (Ledger/Trezor). When the phishing site tried to execute the drain transaction, their hardware wallet showed the actual transaction details on the device screen. They saw "setApprovalForAll to unknown contract" and rejected it. Their NFTs were saved.

The Three-Wallet System

Smart collectors use three separate wallets to limit exposure:

Wallet Type Purpose Contents Security Level
Burner Wallet New mints, risky sites 0.1-0.5 ETH max Hot wallet, disposable
Trading Wallet OpenSea, regular buying/selling Active NFTs, 1-5 ETH Hot wallet with 2FA
Vault Wallet Long-term storage only Valuable NFTs, never trade Hardware wallet, never connects

Contract Checking Saved Users

Users who checked contract addresses on Etherscan before buying avoided the $620k fake Bored Ape scam. The fake collection had:

  • Different contract address (obvious on Etherscan)
  • Created 2 weeks ago (real BAYC from 2021)
  • 23 holders (real BAYC has 6,000+)
  • $3,000 total volume (real BAYC has billions)

Understanding "SetApprovalForAll"

This is the most dangerous NFT permission. When you sign it, you give complete control over ALL NFTs in a collection to the approved address.

When It's Legitimate

You NEED to sign "setApprovalForAll" to list NFTs on marketplaces. OpenSea needs approval to transfer your NFT when someone buys it. This is normal.

When It's a Scam

Scammers trick you into signing setApprovalForAll to THEIR address instead of OpenSea's. Then they can transfer all your NFTs to themselves.

How to Check

Before signing setApprovalForAll, verify the contract address:

  • OpenSea Seaport: 0x00000000000000ADc04C56Bf30aC9d3c0aAF14dC
  • Blur: 0x00000000000111AbE46ff893f3B2fdF1F759a8A8
  • LooksRare: 0xf42aa99F011A1fA7CDA90E5E98b277E306BcA83e

If the address is different, REJECT. It's a scam.

Revoke Approvals: Critical Monthly Task

Go to revoke.cash once per month. This shows all active approvals you've granted. Revoke any you don't recognize or don't need anymore.

Why This Matters

When you list an NFT on OpenSea then cancel the listing, the approval still exists. If OpenSea gets hacked or a rogue employee goes bad, they could theoretically drain approved NFTs. Revoking removes that risk.

What to Revoke

  • Approvals to contracts you don't recognize
  • Approvals from over 6 months ago
  • Approvals to small/unknown marketplaces
  • Duplicate approvals to same marketplace

What to Keep

  • Active OpenSea approval if you're currently selling
  • Approvals to Blur/Magic Eden if actively using
  • Recent approvals you know you granted

If You Get Hacked: Damage Control

Immediate Actions (First 5 Minutes)

  1. Don't panic: Panicking leads to more mistakes
  2. Create new wallet immediately: Generate new MetaMask wallet
  3. Transfer remaining assets: Move any NFTs/crypto that weren't stolen yet
  4. Revoke ALL approvals: Go to revoke.cash and revoke everything on compromised wallet
  5. Never use that wallet again: It's burned forever, even if you change seed phrase

Next Steps (First Hour)

  1. Report to marketplace (OpenSea, Blur) - they can flag stolen NFTs
  2. Report to collection's Discord - warn others
  3. File police report if loss is significant ($10k+)
  4. Post wallet address on Twitter - some trackers help
  5. Accept that you probably won't recover the NFTs

Reality Check

NFTs are bearer assets. Whoever holds the keys owns them. Police can't reverse blockchain transactions. Even if scammers are caught, recovering assets is extremely rare. The $1.1M Frosties rug pull resulted in arrests, but victims didn't get refunds.

Red Flags: Project Evaluation

Team Red Flags

  • Anonymous team with no doxxed members
  • New Twitter accounts (created within 3 months)
  • Bought followers (check followers for bots)
  • No LinkedIn profiles or portfolio
  • Won't do video AMAs (afraid to show faces)

Project Red Flags

  • Roadmap with vague promises ("metaverse," "token launch," "land sale")
  • No working product or demo
  • Copied art style from successful projects
  • Rushing mint with "only 24 hours left" pressure
  • Require whitelist through shady tasks
  • Can't explain utility clearly

Community Red Flags

  • Discord full of bot accounts
  • Mods delete questions about team or contract
  • Excessive hype with little substance
  • Influencers promoting it (probably paid)
  • Promise of guaranteed returns

Security Checklist: Before Every Transaction

The 30-Second Security Check

Before signing ANY NFT transaction, verify:

✓ I typed the URL directly or used bookmark
✓ URL is exactly correct (every letter)
✓ I initiated this transaction myself
✓ I understand what the transaction does
✓ Contract address is legitimate (check Etherscan)
✓ If it's setApprovalForAll, it's to a known marketplace
✓ Amount/price is correct
✓ No one is pressuring me to hurry

If you can't verify all of these, REJECT the transaction.

Tools for NFT Security

Important Tools

  • revoke.cash: View and revoke token/NFT approvals
  • Etherscan: Verify contract addresses and transaction history
  • Fire (joinfire.xyz): See what transactions will do before signing
  • Wallet Guard: Browser extension that warns about scam sites
  • Pocket Universe: Simulates transactions before you sign them

Hardware Wallets for NFTs

Wallet Price NFT Support Best For
Ledger Nano X $149 Excellent, shows NFT images Most NFT collectors
Ledger Nano S Plus $79 Good, no Bluetooth Budget choice
Trezor Model T $219 Good, touchscreen Open source fans

NFTs Protected!

You know how to keep your NFTs safe. Stay vigilant!

More Security Tips
OpenSea Guide Next: Creating NFTs
Copied to clipboard!