The blockchain community is rife with potentially profitable projects and scary scams of equal measure. Users can find it hard to discern if a particular project or platform is legitimate and secure for investing. If you have found yourself unsure of a project’s security, remember these 5 best practices to help you decide if a project is in the C.L.E.A.R:
· C — Check Directly with Cybersecurity Companies or Audit Providers· L — Look for Red Flags in their Website or dApp· E — Exercise Due Diligence· A — Analyze the Audits· R — Recognize Scammer Behaviour
C — Check Directly with Cybersecurity Companies or Audit Providers
The best, sure-fire, and quickest way to find out if a project is secure or legitimate is to directly contact cybersecurity companies or audit providers.
Projects often generally claim to be audited by specific cybersecurity entities in their website:
Fig 1. Blockchain projects or dApps listing cybersecurity companies that have audited them are common. Scammers like using this feature to lie to users.
Never take their word for it — Always ensure these projects have been legitimately audited by the companies they have claimed to be audited. It is common for scammers to claim that their project is secure and properly audited by cybersecurity companies; company logos can easily be extracted from respective websites, anyone running a project can claim they are legitimate just to profit off users.
So, how do you contact these security companies? Through social media. Audit providers like Fairyproof usually have social media channels for direct chat like Telegram or Twitter for all kinds of inquiries. These companies have the proper tools and database to check if a project is secure and legitimate for users to interact with. They can advise if a project is a scam or may probably be a rug-pull. The best part: It will not take long for you to receive an answer — Anything from 5 to 10 minutes. Just make sure to add in the project’s website when you enquire on it.
Pro Tip: Do not just check with one cybersecurity company; check with all the companies the project has indicated their audits have been made. If all relevant audit providers have approved on the project in question, the project is secure and appropriate for interaction. Just know that although you will get an answer on whether a project is secure, you may not get an answer on whether a project can be profitable.
L — Look for Red Flags in their Website or dApp
Scam sites have specific indicators (Also known as “red flags”) that they are not secure and not legitimate projects for users to invest in:
L1. Look for Websites / dApps with Seemingly Arbitrary or Dubious URLs
Every website or online platform will possess a Uniform Resource Locator (URL). URLs are strings of text that appear on a browser’s address field (That search bar at the top of your browser screen), and usually ends with a “.com”, “.net”, or in the trend of some blockchain sites, “.xyz”. If you find yourself on a site with a URL that is arbitrary — one that does not make sense in any way — it is likely that the site you are interacting with is a scam.
Sites with seemingly irrelevant strings of numbers, text, or just plain generic crypto terminologies like “bit-coin99999”, “eth100000”, “defi-mining.bet”, “usdt-eth”, “app.finance” in their URLs are tell-tale signs that a particular project is a scam.
Proper legitimate projects are usually branded — They have special, unique, specific names for their platforms, thus, have unique URLs. Think “Coinbase” (coinbase.com), “Bored Ape Yacht Club” (boredapeyachtclub.com), “Runex” (runex.org), “Deskheads” (deskheads.xyz), or “Fairyproof” (fairyproof.com).
Sometimes, the sneakier scammers would use these unique URLs to mask their scam sites by adding elements that careless users may not be aware about. There was an instance where a scammer masqueraded the site for “deskheads.xyz” as “deskheadz.xyz”. With the change of a single letter, users who thought the latter site was the official site had their NFTs stolen. Be vigilant.
If you are unsure if a specific project is legitimate based on their URL, do a Google search. Copy the URL of the website you are in, paste it on the search bar of Google.com, and click “Google Search”. If the website you are looking for does not appear as the top few results (Top five entries) — or even worse, the results show that the website you are searching for have users sending alerts on that same dubious URL — the project is highly likely a scam.
L2. Look for Platforms that Promise Yields that Sound Too Enticing
Always remember: If a deal sounds too good to be true, it probably is too good to be true.
Many Centralized Cryptocurrency Exchanges (CEXs) or dApps allow you to stake your crypto assets for interests or other digital assets. These stakes usually promise returns in the form of a relatively reasonable Annual Percentage Yield (APY). Scam projects tend to indicate an APY that seem too good to be true.
Reasonable APYs usually range from 2% to 5%. It is rare for crypto assets to have an APY of anything above 10%. It is wise to exercise caution when a dApp, website, or any other online platform would promise high APYs. They also encourage users to pledge large amounts “for a higher income”.
Moreover, most crypto assets usually promise an annual return rate — This means that the percentage returns are based on what you have staked and accrued for the year. Some scam projects would promise yields in hours or days (Like “0.6% six-hour yield”, or “2% daily yield”, etc.).
Fig 2. A tell-tale sign that a project is a scam is when they advertise high yields for a short period of time when you invest.
Do not be easily swayed by yields that are too enticing — Promised returns after a very short period. Do a quick mental calculation: If theoretically staking 1000 ETHs and getting 2 ETHs in interest within the course of half a day sounds too sweet for a quick buck, it is.
L3. Look for Signs of Scammers Who Are Always Too Eager to Get You to Invest as Quickly as Possible
Legitimate crypto projects are more concerned with convincing you to believe in the vision of their project so that you can be an investor; Scammers are more concerned with getting you to “invest” as quickly as possible with the sole purpose of you “profiting”.
If you click on a link and you find yourself staring at a landing page that only prompts you to connect your hot wallet to the dApp or website before you can interact with the platform, you may be interacting with a scammer site.
Fig 3. Many scam sites never give you the option of visiting or browsing their website through a normal web browser. They always insist on needing you to visit their platform through a hot wallet’s browser.
The reason scammers prefer to have users connect their wallets to their platform first is so that users grant them easy access to their hot wallets. Scammers can be hackers too — And if you unknowingly grant access or validation to a scam website by signing in using your hot wallet, they can easily hack into your hot wallet and extract all your crypto resources.
Be very careful where you connect your hot wallet. If a project prompts you to connect your hot wallet first before doing anything else, it’s best to leave the website and avoid interacting with it.
Moreover, another sign of an always-too-eager scam plot is the absence of other pages. Legitimate projects will always have an “About Me / About Us”, “FAQ”, “Contact Us”, “Privacy Policy / Refund Policy”, and “Terms of Use” page. Make sure these pages exist. Click on these pages and see if they are properly populated with content: Content that are credible, readable, and sensible. Scammers tend to avoid taking the extra effort to create such pages — Their goal is to make money from you as quickly as possible. Also, if you do see these pages and you find yourself reading “Lorem Ipsum” in these pages (Usually starts with Latin: “Lorem ipsum dolor sit amet…” followed by a string of text that does not make sense as nobody reads Latin), it is a sign that you are on your way to interacting with a scam website.
L4. Look for Broken or Absent Social Media Links
A final common trait for scam sites is their lack of social media presence. Legitimate blockchain projects have social media accounts to keep users updated and create a community for users to further engage with each other. There is no reason for a scam site to create social media accounts.
Whenever you reach a dApp’s landing page, search for social media links. They are usually found at the top and/or bottom corners of a webpage. An absence of social media links may be an indication that a project is a scam.
Additionally, even if you do find a project with social media icons on their website, click on those icons. Make sure they work. If those icons do not lead you to their respective social media pages, the project that you are looking to invest may be a scam.
E — Exercise Due Diligence
It will benefit you a great deal if you take the time to do some research on the project you are looking to invest or interact with. Taking the time to know more about a project in-depth is called “exercising due diligence”. Here are several ways that you can do so:
E1. Check for the Platform’s Credibility on Social Media Communities
The creation of legitimate projects would mean the creation of official social media to talk about said projects. You can generally find sentiments about a project through mass social media forums like Twitter or Reddit. There, you might also find people talking about projects being potential scams or rug-pulls.
Have an arsenal of sites and accounts to look for alerts on potentially dubious projects. Find official pages of the projects you’re looking into on every social media platform. Then, follow cybersecurity companies on Twitter for scam alerts, frequent communities of people who have been scammed to understand the nature of scams and scammers, and look for chat groups where people inquire on the credibility of projects on a daily basis.
E2. Check on the Credibility of the Project or Platform via Blockchain Explorers or Cryptocurrency Aggregators
Legitimate project teams recognize that the moment they start a legitimate blockchain platform or project, they would need to get listed on a blockchain explorer or crypto aggregator to increase their credibility as soon as possible. Scammers would not bother making sure they are properly named, branded, and verified on CEXs like Crypto.com or explorers like Etherscan.io or Blockchain.com.
Take the time to look for a project’s address: copy the address and paste it on a blockchain explorer. Legitimate projects that have been honestly aggregated should look like this: Verified pages with proper links to social media accounts, websites, and datasets that show legitimate volumes of digital resources that have been transacted.
Fig 4. Be skeptical when a site natively shows you how frequent transactions take place on their platform. The transactions that take place natively on a project’s website should be reflected similarly with the transactions shown on a blockchain aggregator.
If you find that you are looking at an unverified, unnamed address on a blockchain aggregator with no other links to their website or social media account, and a dubious history on their transactions (Like receiving and sending suspiciously large amounts of crypto assets between unverified, unnamed addresses), you are looking at a scam project.
E3. Read the Project’s Whitepaper
Some legitimate blockchain projects produce their own whitepapers. Whitepapers are documents that detail the problems a project is looking to solve, its design philosophy, timeline, and complex technicalities of its solutions that it is attempting to solve said problem(s).
Understanding a project’s whitepaper would mean understanding the project itself, helping you decide if a project is worth investing.
A — Analyze the Audits
Projects and platforms that are audited help users understand the level of security a project can be invested in, and for project developers to be aware of its flaws.
When you see a dApp or online platform that have claimed to be audited by legitimate cybersecurity companies, the logos on the website should be linked to the respective audit documents. If you click / tap on the respective logos of the audit providers on the website and it does not direct you to the audit report, the website is very likely a scam site. Fairyproof is purposeful in prompting our audited clients to make sure that the audit reports are accessible through our logo on their homepages or landing pages.
Users should also possess some knowledge of reading and understanding audits. If an audit shows a project to contain multiple vulnerabilities, it also communicates the idea that users should exercise caution when interacting with a specific project or platform.
Fig 5. Look out for summary information like this whenever you read an audit. Audits publicly show information on vulnerabilities of different severities that can expose projects to different cyber-attacks. If these vulnerabilities are claimed to be unresolved, exercise caution in interacting with said project.
Multiple code vulnerabilities on a particular project mean more opportunities for hackers to attack said project and exploit crypto assets.
R — Recognize Scammer Behaviour
The good thing about scammers is that once you can recognize one, you can probably recognize them all. A scammer’s constant is that they always want to steal the most amount of money from you in the shortest amount of time by deceiving you. Here are some behaviours most of them share:
R1. They Approach You Out of Nowhere
No legitimate blockchain project would approach you through direct messaging to advertise investing on their platform. It is common policy for corporate and professional entities to not reveal they have your contact information, and even if they do, they have no obligation to approach you personally for different purposes (Unless they are announcing a complete shutdown of their project, if you have recently contacted their customer support for specific reasons, or if you have directly interacted with some of their marketing campaigns.).
If you are aware that you have not given your contact information like your phone number, email, or social media handles to a specific project, ask those who have approached you on where they have retrieved your contact information — If their answers do not make sense in the context of your Web3.0 interactions, do not interact with the websites they have sent you or interact with them any further. It is also likely that they would not reply to you — Scammers prefer easy targets that jump in to invest without question. If they do not reply to you, walk away from the offer. A little bit of patience can save your wallet.
It is always safe to be skeptical on the individual reaching out to you urging you to invest on a specific project or visit a particular website.
Most importantly: Never click on links sent to you by unknown numbers or social media accounts.
R2. They Immediately Transfer Your Deposits to An Unknown Address
Should you find yourself in a position where you have already made an initial deposit, check if the deposits are immediately transferred to an unknown address. Legitimate projects with investment features usually do not need to transfer your funds to a separate address for you to earn interest (Save for NFTs — When you stake an NFT, it gets transferred to a staking address with other users who have staked their NFTs too.).
The moment you find out that your funds have been transferred to an address you do not know, do not invest any further!
R3. They “Freeze” Your Current Deposits and Ask for More to “Unfreeze” Them
“Freezing” initial deposits is also a common modus operandi (MO) for scammers. Users who have been scammed would find that once they have deposited their investment, they will not be able to withdraw what they have invested. Some scammers would dub this amount to be “frozen”. Scammers would then insist for the user to “contribute” (Also known as “pay”) a separate amount to “unfreeze” this deposit.
Do not proceed with any subsequent payments.
Users who are unaware of this behaviour would be conned into constantly paying scammers in hopes of getting their money back.
Legitimate projects usually allow you to withdraw your deposits easily without any form of payment.
R4. They Ghost You After You’ve Placed Your Investment
When you have had enough and realized you are on the edge of never getting your money back, chances are you would attempt to argue your deposit back through harsh words. This is when you’ve sent clear indications to the scammer that he/she will not be able to steal any more money from you. They will start to ignore you. By this stage, your assets are considered permanently stolen and possibly irrecoverable.
Your next course of action would be to hire a private cryptohunter or approach a cybersecurity company with crypto-retrieval services (Which also requires a separate set of payments, and you may still expose yourself to self-proclaimed “cryptohunters” which can be scammers too.). You can also try approaching proper authorities like the police or Interpol — However, they may take some time to give you a solid solution in getting your funds back as scam cases are common occurrences around the world. The moment you have sunk your foot too deep in interacting with scammers, we would regret to inform you that the worst-case scenario is to treat your initial investment as a lost cause and treat the situation as a lesson to watch out for scammers in the future.
In Conclusion:-
Apply C.L.E.A.R in your decision-making process BEFORE investing in any project or on any platforms:
Check directly with Cybersecurity Companies or Audit Providers
Look Out for Red Flags in Their Website or dApp
Exercise Due Diligence
Analyze the Audits
Recognize Scammer Behaviour
If a specific project does not pass any of the above rubrics, it is safer to leave the project alone and find something else to invest your crypto resources in.
“An ounce of prevention is worth a pound of cure.”
- Benjamin FranklinFounding Father of the United States of America
Join our Telegram group to stay up-to-date on hacks and other security situations in the crypto space.
To stay updated on notable security incidents in the world of Web3.0, subscribe to our newsletter.
Looking to strengthen the security of your project? Contact us at https://fairyproof.com/
All Comments