Image of a security lock on a blue background

Staying safe in DeFi — top tips on scam identification, Telegram and Discord safety, and how to deal with compromised wallets

By Dave from Bogged | Bogged | 6 Apr 2022


One of DeFi’s premier features is its decentralization; unlike your local bank, anyone can take part. There are no credit checks, KYC checks or documents required to get started with DeFi loans, savings or investments.

 

However, this decentralization means that there are no protections in place in the unfortunate case of somebody being the victim of a scam or hack. A centralized bank may be able to recover lost funds by freezing transactions or stop attackers from accessing their accounts, but this is almost always impossible in DeFi.

 

Thankfully, many large DeFi applications are robust and secure, and DeFi users can easily avoid being compromised as long as they follow a small number of common-sense rules.

 

4 Rules to DeFi Safety

 

Rule 1: Never, ever reveal your seed phrase.

 

This is the most important rule to keeping your DeFi wallet secure.

 

A seed phrase is a unique series of words given to you when you set up a new wallet, and this is the master key to that wallet. Anybody with this phrase can do whatever they please with your funds, so ensure you keep it as safe as possible. 

 

How do I keep my seed phrase safe?

  • Never store it as plain text on a computer, or take a digital photograph of it. Hackers can easily infect computers with malware that scans for seed phrases.
  • Legitimate DeFi applications will never ask for a seed phrase. Do not enter your seed phrase into any website/app, no matter how legitimate it may look. 
  • Be wary of phishing messages from people pretending to be customer support. (See below for more information)

 

I think somebody has my seed phrase! What should I do?

Please read the steps at the end of the article on what to do when compromised.

 

Rule 2: If someone offers you money, but you need to send them money first, then it’s ALWAYS a scam.

 

A very common technique used to steal people’s funds is the “money doubling scam”.

 

It comes in various forms, but the typical format involves someone saying that you can double/increase any funds that you send to a person or address. THIS IS ALWAYS A SCAM. 

 

No legitimate promotion will require you to send funds before claiming a prize!

YouTube video claiming to give away free Cardano

A typical money doubling scam, note how they use official branding and a copy of a livestream to appear authentic.

Rule 3: Use caution and common sense when interacting with contracts.

 

Contracts are a way for DeFi applications (Dapps) like bogged.finance or ApeSwap to interact with a user’s wallet.

 

Contracts have many legitimate uses, like swapping tokens, creating limit orders or allowing access to your staked funds but it’s important to be careful when signing one.

 

The most common way of signing a contract is by clicking on a “confirm” dialogue button in a wallet application.

 

Before signing a contract, it may be wise to ask yourself the following questions;

 

  • Why is this Dapp asking me to sign a contract? If the signature request pops up and you didn’t expect it, or don’t know why it appeared, then it may be malicious
  • Is this Dapp reputable? It’s very easy for scammers to create a Dapp pretending to offer a service/feature. It’s therefore advisable to only use reputable and established sites/Dapps when signing contracts. Be extremely careful with newly launched Dapps with small userbases.
  • Is this Dapp what it says it is? If you click on a phishing link, you may end up on a site that looks like a reputable one (for example a recognisable swap interface). Always double check URLs, and never follow unsolicited links. 

 

 

Rule 4: Never interact with tokens that appear in your wallet without your knowledge. (Airdrop Scams)

 

Airdrop Scams are when tokens, often with a URL as a name, are sent to a victim’s wallet. These tokens often have absurdly high dollar values to make them stand out if a victim uses a portfolio tracker.

 

There are a few ways the scam steals funds, but they can be avoided by simply not interacting with the dropped tokens. 

 

  • Do not try to sell any unknown tokens. Scammers can use tokenomics to enact absurdly high taxes or gas, which can drain their victim’s funds.
  • Do not visit any URLs in relation to unknown tokens. As discussed above, scammers can use malicious Dapps to remove funds.
  • Do not send unknown tokens to a secondary wallet or somebody else’s wallet. Doing so can expose your other wallets for further phishing attempts, or the recipient could fall for the scam.

 

Your wallet is not compromised by an airdropped token’s presence, but interacting with them can make it vulnerable. 


Phishing: What is it and how to recognise it. Staying safe on Cryptocurrency Telegram and Discord groups.

 

Phishing is a type of social engineering designed to steal user data. It comes in many forms, but in the DeFi space it has a few typical features, we’ve gathered a few examples below.

 

Admin/Customer Support impersonation.

This is one of the most common attacks that the bogged.finance team has seen. Scammers lurk around community channels looking for victims with genuine issues, and then DM (Direct Message/Private Message) that victim with an account designed to closely resemble official accounts. From there they will try to build trust, then scam the victim, usually by asking for a seed phrase or a support fee.

 

How do I avoid this?

  • Reputable organisations will not initiate conversations with customers. You may have seen community admins emphasise this by putting (Will not DM) or similar in their tags.
  • Reputable organisations will not ask for seed phrases. There is no instance where anyone will need this kind of access to your wallet to deal with an issue.

 

Link Hijacking

This is where scammers use links that closely resemble legitimate ones to dupe victims into thinking they’re using a reputable Dapp. Scam links can be found in too many places to list here, so it’s always best to use the below advice to avoid getting misdirected.

How do I avoid this?

  • Do not click on links in unsolicited correspondence.
  • Do not click on shortened links.
  • Be wary of links sent from contacts that seem out of character, their account may be hacked.
  • Directly enter URLs into your browser instead of using search engines, as scammers can buy ads or use bots to boost their malicious site above the legitimate one.

72bc725b9587ac26fc1f91b22785fd82724c7894c9050c3cb181f120c1e5fb84.png

Example of a fake search result. The official website is pancakeswap.finance

 

Fake Investment Programs

 

This scam is commonly seen on Discord. A victim will typically receive an unsolicited DM from somebody claiming that they can invest a certain amount of money in for massive profits. Naturally, these scammers always take the money and run.

 

How do I avoid this?

  • If it’s too good to be true, then it’s a scam. Anybody with a surefire investment strategy certainly isn’t selling it to unsolicited members of the public.
  • Never trust accounts that initiate unsolicited conversations.

 

Group Impersonation (Telegram)

 

This has been an issue on telegram as it’s easy for scammers to add people to a group by username.

Scammers use bots to scrape usernames from active legitimate groups, and then add them to scam groups that look identical to the groups they were in, but things like links will direct users to fraudulent sites.

 

How do I avoid this?

  • In Telegram, open Settings, then select:
    Privacy and Security > Groups & Channels > Who can add me to groups and channels.
  • Sometimes, if you’ve been added to a group by somebody, you will see a “report spam and leave” button on top of the page. This is a big warning sign, so keep an eye out for it.
  • If you don’t remember joining a group, then it is likely fraudulent. Feel free to use the “report spam and leave” button

How can I tell if I’ve been compromised?

 

Knowing if you’ve been scammed or not will require some proactivity and awareness of what’s in your wallet.

 

  • Keep track of your funds and know how much you own. This will make it easy to see any discrepancies if they occur.
  • Check any transaction once it’s been submitted to make sure it was what it claimed to be. This can be done by viewing the transaction on your wallet’s Blockchain Explorer (BSCScan, EtherScan etc). 
  • Keep a watchful eye on your wallet’s activity. We suggest following the steps in the next section if you notice anything suspicious that you didn’t authorize.

I’ve been compromised, what can I do?

 

Unfortunately, funds are unrecoverable if they have been sent away from your wallet. However, if they have not been moved, then you may be able to secure them by doing the following.

  • Immediately create a new wallet, making sure that you do not store the seed phrase digitally.
  • Send any remaining funds to the new wallet.

 

If you have funds locked in staking/liquidity pools or similar, and the attackers have removed only the tokens present in the wallet, you may also be able to recover them, but this can be intercepted by the attackers.

 

There is no tried and tested method of regaining staked funds as it will depend on your risk assessment of the situation and other factors like whether the attackers used bots to drain your wallet, but typically, they boil down to unstaking then sending to a clean wallet without the attacker noticing.

One way of seeing if attackers are using bots to monitor your wallet for activity is by unstaking a small amount first, then trying to immediately send it to a clean wallet. If this succeeds, then your wallet could be unmonitored. 


Conclusion



As a DeFi user, the only thing protecting you from financial scams is yourself. But thankfully you can protect yourself by simply following a few simple rules and using common sense. Before divulging any information or making any transactions, always take a moment to think about what you’re doing and who you’re interacting with. 

 

Good luck, and stay safe!

At Bogged Finance we're dedicated to all aspects of DeFi, including education. We'll be posting more educational articles here and also on BogAcademy, a DeFi education hub managed by Bogged Finance.

What is Bogged Finance? We are a leading DeFi platform, creating tools to empower traders. We're a market leader in DeFi limit orders, stop-losses and DEX Aggregation, with over $1.5B traded across our tools. For more info, see https://www.bogged.finance/

How do you rate this article?


84

0

Dave from Bogged
Dave from Bogged Verified Member

Creating informative and helpful articles for Bogged.


Bogged
Bogged

News and DeFi education from one of the leading providers of DeFi trading tools. For more see https://www.bogged.finance Visit our DeFi Academy on https://www.bogged.finance/academy

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.