It could happen to anyone
It could happen to anyone
How it feels to fall for a crypto scam
š Welcome to the 50th issue of The Syllabus from Invisible Collegeāa newsletter that helps you navigate the fast-moving world of web3. To get it delivered straight to your inbox, subscribe here:
I wipe my eyes and yawnāstill groggy from a lackluster night of sleepāas I sit down and flip open my laptop to get my workday started. My eyes refocus and I see way too many notifications across my email, reminders, and messaging apps. First, I check the Invisible College Discord community to see whatās going on.
There are a few āgmā messages and then an article shared in the general channel. Hmm, thatās interesting. It looks like the accounting firm KPMG recently launched a crypto tax calculation service. I click the link and give the Reuters article a quick read. Sounds like KPMG has built something just in time for tax season. It makes sense because dealing with taxes in crypto is a huge pain point. My mind flashes back to the stack of paper I had to print last year with every single transaction across every single blockchain in it.
The article says you can check out your tax liability for about $1.00, so I click the link to check out the tool. I see a standard-looking landing pageāthe KPMG logo on the top left, a legit-looking URL, and a list of their trusted partners below the fold. I double-check the Reuters site and that looks good too. Letās give it a try.
I click the connect wallet button and choose MetaMask. The MetaMask Chrome extension shows the permissions the site is requesting. I read carefully and donāt see anything suspicious, nothing like the āapprove allā scam Iāve heard about that has gotten many people before. And it doesnāt look like the Seaport thing that caused the recent Kevin Rose hack recently either.
I click approve.
The extension immediately pops up again, this time with a gas fee just above $1.00. It seemed abrupt, so I hover my mouse over the reject button, thinking I should double-check everything first before clicking approve. But then I remember that the article had mentioned it would cost about $1.00 to try the tool. They mustāve meant the gas fee.
I click approve.
The Ethereum blockchain usually takes a bit to verify a transaction, so I glance back at Discord and check some other messages. Moments later, MetaMask pops up again, but this time it has a gas fee of over $5.00 and itās saying something about a Moonbirds Oddities NFT. What the?
I click reject.
It pops up again.
I click reject again.
It pops up yet again.
And thatās when it hits me.
Iāve just been scammed.
Somehow, I finally get the transaction to stop popping up. I open the MetaMask extension and see that my Ethereum balance has gone from over 2.83 ETH down to just 0.010376988669101132 ETH.
My heart drops and my face goes flush. Iām not sure what to do except rattle off some messages in the IC Discord.
[9:13 AM] Welp, that just took my ETH. Really thought I was being careful too
[9:15 AM] Crap, I see what I did now.
[9:16 AM] Please nobody click on that. It's not a real news story.
[9:16 AM] It just got my ETH and no NFTs, but it was a decent amount
Then came the wave of embarrassment and shame. Iām supposed to teach people how to avoid this type of situation. And I just fell victim to it?
I tell some friends in other groups and warn them not to engage with any similar links. Theyāre nice and supportive. One person, in particular, makes me feel a bit better after he looks into the details using Etherscan and he calls the scam āsophisticatedā. The scammers programmed a smart contract, wrote a legitimate-looking article on a website that looked just like Reuters, and they even primed me for the $1.00 gas fee in the article copy. At least I didnāt fall for a blatantly obvious one.
In the afternoon, I hop on our Office Hours call on Twitter Spaces and explain how it all went down. The IC community is nice too and they say it couldāve happened to anyone. I know theyāre right, but Iām still upset. And Iām frustrated. Not with myself. I can get over what I did and I thankfully donāt need the money to survive. Iām frustrated with whoever did thisāsomeone who clearly has some technical and creative talent, yet chooses to use those talents nefariously. Iām frustrated with people who are stealing value out of the ecosystem instead of building and creating value within it.
Thereās nothing I can do now except continue to help others so they donāt fall victim to something similar. In my personal Substack,
, I write vulnerable stories where I lay it all out there raw and unvarnished each week. I didn't want to include one of those types of personal stories in this newsletter. But I think it's important that I'm transparent about it, especially given that I write and talk about these things all the time in my role in the IC community.Itās a clichĆ©, but we really are still so early. Iāve recently seen tweets saying that we donāt have a user-experience (UX) issue in web3 anymore and that the real issue is that we donāt have compelling products to onboard new people. But the thing is, both can be true. Most UX in web3 is laughable when compared to web2. Itās not remotely ready for primetime yet. Self-custody of assets is too complex for the average person, as well. I mean, look at Kevin Roseās new setup:
He also added that his seed phrases will be recorded in steel, his cold and sale wallets will be on a multi-sig (meaning multiple people need to sign off on each transaction), and heāll be using two different Chrome extensions (Wallet Guard and Pocket Universe) to verify if transactions are safe. Iām now testing Pocket Universe too, although I worry that it could become another attack vector for scammers.
Someone in his replies also suggested he add another computer with a fresh hard drive and operating system, so heās adding a MacBook Air to the mix too:
Donāt get me wrong, these are all best practices, especially for someone who likely has millions of dollars worth of tokens and NFTs, even after getting $2M+ of them stolen from him. But most average Joes wonāt be getting anywhere near this level of self-custody. And they shouldnāt have to either.
If youāre reading this, youāre more likely to be someone whoās actively involved in the web3 space. Maybe youāre not minting NFTs or farming on DeFi protocols every day. But you probably have your own wallet with some assets in it, rather than some BTC or ETH sitting on an exchange somewhere. If that describes you, here are some practical takeaways from my unfortunate experience:
Donāt rush: Nothing you do in the web3 space should feel rushed. Thatās when mistakes happen and many scammers understand the psychology around this well.
Check your alertness: Thereās rarely a reason to make transactions first thing in the morning or late at night. When youāre tired, youāre more likely to make errors.
Ask questions: Part of the reason we started Invisible College is to create a community for people who are new to the space to ask questions.
Test first: Use a burner wallet whenever possible. I made the mistake of connecting my main Ethereum wallet. I was lucky that the scam didnāt take everything.
Donāt be lazy: Thereās no need to keep a lot of funds in a wallet youāre using for more regular transacting. I usually donāt keep nearly 3 ETH in that wallet. Instead, I move it to my vault, which is connected to a Ledger hardware wallet. But I got lazy and hadnāt moved funds in a while.
I hope this helps you think about what youāre doing more carefully and methodically than I did earlier this week. It could really happen to anyone. And I donāt want it to be you.
If youād like to join a community where any and all questions are welcome, weād love to have you at Invisible College. You can learn more about how to join on our website here:
As always, none of this should be construed as financial advice. Please do your own research.
If you enjoyed this post, could please let us know by giving the heart button below a tap?
