It could happen to anyone
How it feels to fall for a crypto scam
👋 Welcome to the 50th issue of The Syllabus from Invisible College—a newsletter that helps you navigate the fast-moving world of web3. To get it delivered straight to your inbox, subscribe here:
I wipe my eyes and yawn—still groggy from a lackluster night of sleep—as I sit down and flip open my laptop to get my workday started. My eyes refocus and I see way too many notifications across my email, reminders, and messaging apps. First, I check the Invisible College Discord community to see what’s going on.
There are a few “gm” messages and then an article shared in the general channel. Hmm, that’s interesting. It looks like the accounting firm KPMG recently launched a crypto tax calculation service. I click the link and give the Reuters article a quick read. Sounds like KPMG has built something just in time for tax season. It makes sense because dealing with taxes in crypto is a huge pain point. My mind flashes back to the stack of paper I had to print last year with every single transaction across every single blockchain in it.
The article says you can check out your tax liability for about $1.00, so I click the link to check out the tool. I see a standard-looking landing page—the KPMG logo on the top left, a legit-looking URL, and a list of their trusted partners below the fold. I double-check the Reuters site and that looks good too. Let’s give it a try.
I click the connect wallet button and choose MetaMask. The MetaMask Chrome extension shows the permissions the site is requesting. I read carefully and don’t see anything suspicious, nothing like the “approve all” scam I’ve heard about that has gotten many people before. And it doesn’t look like the Seaport thing that caused the recent Kevin Rose hack recently either.
I click approve.
The extension immediately pops up again, this time with a gas fee just above $1.00. It seemed abrupt, so I hover my mouse over the reject button, thinking I should double-check everything first before clicking approve. But then I remember that the article had mentioned it would cost about $1.00 to try the tool. They must’ve meant the gas fee.
I click approve.
The Ethereum blockchain usually takes a bit to verify a transaction, so I glance back at Discord and check some other messages. Moments later, MetaMask pops up again, but this time it has a gas fee of over $5.00 and it’s saying something about a Moonbirds Oddities NFT. What the?
I click reject.
It pops up again.
I click reject again.
It pops up yet again.
And that’s when it hits me.
I’ve just been scammed.
Somehow, I finally get the transaction to stop popping up. I open the MetaMask extension and see that my Ethereum balance has gone from over 2.83 ETH down to just 0.010376988669101132 ETH.
My heart drops and my face goes flush. I’m not sure what to do except rattle off some messages in the IC Discord.
[9:13 AM] Welp, that just took my ETH. Really thought I was being careful too
[9:15 AM] Crap, I see what I did now.
[9:16 AM] Please nobody click on that. It's not a real news story.
[9:16 AM] It just got my ETH and no NFTs, but it was a decent amount
Then came the wave of embarrassment and shame. I’m supposed to teach people how to avoid this type of situation. And I just fell victim to it?
I tell some friends in other groups and warn them not to engage with any similar links. They’re nice and supportive. One person, in particular, makes me feel a bit better after he looks into the details using Etherscan and he calls the scam “sophisticated”. The scammers programmed a smart contract, wrote a legitimate-looking article on a website that looked just like Reuters, and they even primed me for the $1.00 gas fee in the article copy. At least I didn’t fall for a blatantly obvious one.
In the afternoon, I hop on our Office Hours call on Twitter Spaces and explain how it all went down. The IC community is nice too and they say it could’ve happened to anyone. I know they’re right, but I’m still upset. And I’m frustrated. Not with myself. I can get over what I did and I thankfully don’t need the money to survive. I’m frustrated with whoever did this—someone who clearly has some technical and creative talent, yet chooses to use those talents nefariously. I’m frustrated with people who are stealing value out of the ecosystem instead of building and creating value within it.
There’s nothing I can do now except continue to help others so they don’t fall victim to something similar. In my personal Substack,
, I write vulnerable stories where I lay it all out there raw and unvarnished each week. I didn't want to include one of those types of personal stories in this newsletter. But I think it's important that I'm transparent about it, especially given that I write and talk about these things all the time in my role in the IC community.It’s a cliché, but we really are still so early. I’ve recently seen tweets saying that we don’t have a user-experience (UX) issue in web3 anymore and that the real issue is that we don’t have compelling products to onboard new people. But the thing is, both can be true. Most UX in web3 is laughable when compared to web2. It’s not remotely ready for primetime yet. Self-custody of assets is too complex for the average person, as well. I mean, look at Kevin Rose’s new setup:
He also added that his seed phrases will be recorded in steel, his cold and sale wallets will be on a multi-sig (meaning multiple people need to sign off on each transaction), and he’ll be using two different Chrome extensions (Wallet Guard and Pocket Universe) to verify if transactions are safe. I’m now testing Pocket Universe too, although I worry that it could become another attack vector for scammers.
Someone in his replies also suggested he add another computer with a fresh hard drive and operating system, so he’s adding a MacBook Air to the mix too:
Don’t get me wrong, these are all best practices, especially for someone who likely has millions of dollars worth of tokens and NFTs, even after getting $2M+ of them stolen from him. But most average Joes won’t be getting anywhere near this level of self-custody. And they shouldn’t have to either.
If you’re reading this, you’re more likely to be someone who’s actively involved in the web3 space. Maybe you’re not minting NFTs or farming on DeFi protocols every day. But you probably have your own wallet with some assets in it, rather than some BTC or ETH sitting on an exchange somewhere. If that describes you, here are some practical takeaways from my unfortunate experience:
Don’t rush: Nothing you do in the web3 space should feel rushed. That’s when mistakes happen and many scammers understand the psychology around this well.
Check your alertness: There’s rarely a reason to make transactions first thing in the morning or late at night. When you’re tired, you’re more likely to make errors.
Ask questions: Part of the reason we started Invisible College is to create a community for people who are new to the space to ask questions.
Test first: Use a burner wallet whenever possible. I made the mistake of connecting my main Ethereum wallet. I was lucky that the scam didn’t take everything.
Don’t be lazy: There’s no need to keep a lot of funds in a wallet you’re using for more regular transacting. I usually don’t keep nearly 3 ETH in that wallet. Instead, I move it to my vault, which is connected to a Ledger hardware wallet. But I got lazy and hadn’t moved funds in a while.
I hope this helps you think about what you’re doing more carefully and methodically than I did earlier this week. It could really happen to anyone. And I don’t want it to be you.
If you’d like to join a community where any and all questions are welcome, we’d love to have you at Invisible College. You can learn more about how to join on our website here:
As always, none of this should be construed as financial advice. Please do your own research.
If you enjoyed this post, could please let us know by giving the heart button below a tap?
