LAST CHANCE BLACK FRIDAY: Save now on Ledger hardware wallets and accessories.

Shop now

Up your Web3 game

Ledger Academy Quests

  • Test your knowledge
  • Earn POK NFTs
Play now See all quests

Scam NFTs: The Spam Emails of Web3

Beginner
Purple warning sign on a black background.
KEY TAKEAWAYS:
— Scam NFTs are a popular tool for malicious actors looking to take advantage of people in web3.

— The relative sophistication of these scams means that they can sometimes fool even experienced crypto users.

— Fortunately, Ledger Live has multiple features that can help you quickly identify scam NFTs and deal with them safely.  

You open Ledger Live and see a new NFT in your Polygon account. Excited, you click on the NFT and see a message. “Congratulations! You’ve won 1000ETH. Just go to definitely-not-a-scam-nft-site.com and collect your reward.”

You connect your wallet and are prompted to claim the airdrop. Eagerly you plug in your Nano, accept the transaction in Metamask, blind sign the transaction on your device, and return to Ledger Live to check your balances. To your surprise, there’s no stETH, and what’s more, your token balances are gone! That’s all it takes to fall prey to one of the most common scams targeting crypto holders today. So what went wrong?

We’ve all heard of airdrops, if you’re lucky you’ve even made a pretty penny claiming them before.  But that’s the trick: everyone wants something for nothing. And scammers prey on that exact feeling. Of course, scam NFTs are more sophisticated than your average scams. They can be much more difficult to detect, even for experienced crypto users.

So how does the scam even work?

Scam NFTs: What They Are and How the Scam Works

Scam NFTs are the Web3 equivalent of scam emails. Much like they continue to plague email inboxes around the world, scam NFTs litter wallet addresses on-chain. The playbook is all too similar. And while we’ve had years to develop systems to detect and filter spam and phishing attempts, crypto is still the wild west. Thus, scam NFTs are a little different.

Mostly, a scam NFT will typically employ some common social engineering tactics. Some scam NFTs will try to trick you into giving up your tokens or NFTs, others will also target your native assets (ETH, MATIC, etc.). 

Generally, there will be a call to action that urges you to act hastily:  a countdown clock or the promise of a large sum of money are both popular methods. Essentially, the scammers want you to behave irrationally and act quickly. They’ll promise something, free crypto or access to an NFT collection: anything to get you hooked. 

While each scam has its unique flair, they use the same tool: phishing. Unfortunately, accessing a phishing link can help a bad actor reach you by either: downloading malware onto your computer which allows the attacker to access your files and tamper with your screen; or more commonly, convincing you to sign a malicious transaction. 

Let’s see how these scams differ:

Scam NFTs Leading You To Download Malware

Firstly, a scammer may use a phishing link in the NFT to lead you to a site that will download malware on your computer. This will allow the attacker to read your files. If you use a software (hot) wallet, they could potentially find the secret recovery phrase or private keys to your accounts within your device’s memory. They may even install a keylogger and find out all of your passwords for more than just your crypto accounts.

In this case, protecting your assets with a Ledger device would keep your crypto safe, as it stores your private keys isolated from an internet connection. This means your crypto stays protected from potential malware or spyware on your web2 device. 

Unfortunately, the most common type of Scam NFTs have a different method of catching their victims; one that also targets hardware wallet owners.

Scam NFTs Leading You to Sign a Malicious Transaction

To explain, a phishing site found on a Scam NFT may lead you to sign a transaction—and that’s something a Ledger device cannot protect you from. Using your Ledger device within the Ledger Ecosystem is safe.

However, if you want to use your Ledger device to access apps and services outside Ledger Live, you will need to connect it to a third-party wallet interface, such as Metamask, Coinbase Wallet, or WalletConnect.

This is the critical moment: it’s rarely clear what you’re signing and not all wallets give you the full details of a proposed transaction in human-readable language. This is called blind signing and sadly, it’s a common attack vector for scammers. Unfortunately, a single approval is all it takes: clicking confirm could send your assets straight to the scammer’s wallet. 

What Happens if I Sell or Transfer the NFT

Firstly, just don’t. Whatever you do, do not interact with the potentially malicious token. To explain, although these scams will rarely activate by interacting with them on-chain, there’s nothing to win by selling or transferring these spam tokens. 

You may have been considering sending the spam to the burn address. But in fact, that’s not as good an idea as it seems. Scam NFT contracts are hastily written and can be quite inefficient. Of course, scammers are not concerned with deploying the best NFT contract. After all, they just want to steal unsuspecting users’ funds. This can directly impact you when you try to transfer scam NFTs, as the cost to call the contract can be incredibly high. While this doesn’t necessarily benefit the scammer, it can waste your funds on gas fees.

Selling these NFTs is not the answer either. Most of the time, the smart contract will prohibit you from selling the NFT. Yes, the 2ETH offer you have on that piece of spam is not redeemable at all. Unfortunately, it’s quite easy to write some logic that prevents you from profiting off of these spam tokens, thus it’s not recommended that you try to transfer or sell scam NFTs out of your account. Instead, it’s best to simply hide spam NFTs from your portfolio.

I Just Clicked the Link, What Should I Do?

Clicking a scam link is unlikely to affect your device. Usually, the site will attempt to convince you to download malware on your laptop or smartphone or sign a transaction with your crypto wallet. If you have a Ledger device, you don’t have to worry about any malware on your web2 device. Even if your laptop or smartphone does contain malware, your Ledger device stores private keys and signs transactions in a separate isolated environment.

However, using a Ledger device will not stop a bad actor if you sign a malicious transaction. So if you do click an untrustworthy link and it prompts you to sign a transaction: don’t do it! This is the biggest threat to your crypto no matter which type of wallet you use.

I Just Signed a Malicious Transaction, What Should I Do?

Signing a malicious transaction can be detrimental to your assets. If you have signed a transaction on a phishing site, it may be too late to save your tokens. Just signing the transaction will initiate the swap, transfer, or “sale” of your assets, which is enough to whisk them away.

To avoid any further losses, you should immediately navigate to a tool that allows you to revoke approvals. Popular tools include Etherscan or Revoke.cash. Please note that this will cost a small gas fee.

How To Manage Scam NFTs

Now you know what to do in a crisis, let’s look at some of the most important ways you can avoid being affected by scam NFTs yourself. 

Don’t Trust, Verify.

Verification means finding the information out for yourself. Another famous phrase is “Do your own research“. Legitimate Airdrops tend to cause a buzz and are heavily discussed on social media. Be sure to search Reddit and Twitter to verify an airdrop. Even then, scammers will create fake accounts to hype up their scams. Verify the legitimacy of the project, ask around your crypto native friends, get involved with a community, and only then decide whether you’re willing to risk connecting to that contract.

When in Doubt, Don’t Sign.

Carefully review the transaction details in your wallet interface before approving anything on your Ledger device. Scammers can’t take your assets without a valid signature, so the best way to protect yourself is not to sign the transaction. If you’re dead set on connecting, consider using a burner wallet so you can keep the approvals away from your main holdings.

Report Scams

We work hard to make the space safer, and tackling scam sites is a game of whack-a-mole. You can report scams to blockchain sleuths, online reporting services, or police. If you encounter scams concerning Ledger devices, reach out to the customer support team.

Access Apps and Services Via Ledger Live

You may be able to visualize scam NFTs within Ledger Live. If you can see some NFTs you don’t recognize in Ledger Live, do not interact with them. Scam NFTs will always direct you to leave Ledger Live. Ignoring their wishes is the first step to keeping your crypto safe. For your safety, Ledger Live doesn’t let you copy/paste URLs from NFTs by design, but if you do end up following a phishing link through other platforms, you may be surprised by how legitimate some of these phishing sites look. 

Accessing apps and services through Ledger Live means you benefit from the clear signing plugin. This means that you can buy and sell NFTs via supported marketplaces, reading each transaction in human-readable language.  So why not buy a Ledger hardware wallet device and manage your NFTs with security and knowledge on your side?

Remember: the most important piece of any transaction is you. Only you have the power to keep your funds safe and secure. A Ledger device can keep your funds safe from online threats, but you’re the one to approve transactions; so don’t trust: verify.


Stay in touch

Announcements can be found in our blog. Press contact:
[email protected]

Subscribe to our
newsletter

New coins supported, blog updates and exclusive offers directly in your inbox


Your email address will only be used to send you our newsletter, as well as updates and offers. You can unsubscribe at any time using the link included in the newsletter.

Learn more about how we manage your data and your rights.