However, as great and useful as unfurling is, it can be abused by bad actors to trick someone into believing where a link will send them. Users typically have inherent trust that the application they are using will show them the “correct” data.
The best advice we can give to a crypto user on Twitter is to never trust anyone (read: verify, don’t trust), even those with blue verification badges. Accounts are often sold and used to target crypto communities via malicious links, support help, and bad advice to pump shitcoins.
Social media giant Facebook also has crypto groups, most of which are “cesspools” of scams, and their unfurling engine can also be abused to show a different endpoint than what you will be directed to - just like Twitter. However, their status engine is a little different, as you can delete the link after the link card is added to the status.
If you’re part of a crypto-oriented group on Facebook, chances are you will be targeted with ads - most of which will be scams. In fact, recently we noticed three types of scams on Facebook.Although I wrote about this in 2020, it is still pretty common to see these types of scams that advertise an insane amount of income per week by signing up to a Bitcoin service. These services are advertised with a fake news article and a sensationalized news video that reinforces the legitimacy of their platform by piggybacking off Bitcoin’s brand. Some scams we see are targeted at those who want to start in crypto with self-custody and know some of the brand names in the space. We see ads (such as the following) that try to profit off established project names in the space to steal secret recovery phrases of users. They typically mix established branding into their sponsored ads. Another common scam involves bad actors targeting users who are more familiar with technological terms involving smart contracts. They usually direct people to a video-hosting platform and explain how to use an already-created smart contract to perform a flash-loan attack, often on Binance Smart Chain. These contracts are written to deposit ETH (or in this case, BNB) into a contract that simply forwards it to an EOA. In the example below, the contract that they get you to deploy will send funds to
Many crypto groups host their own Discord servers to engage more easily with their community, but these servers can quickly become hotspots for crypto scammers.
Recently, we’ve seen bad actors mimicking a popular Crypto-to-Discord integration called “CollabLand” to phish for users' secrets by copying CollabLand and MetaMask branding. CollabLand is an integration that allows users to match their Discord accounts to their web3 accounts to gain access to specific channels reserved for those who, for example, hold a certain NFT.
permit()functions within their interfaces - have changed all that. This means that as a user you need to be cautious with what you are signing, even off-chain. The most common tactic a phisher uses is trying to get you to type your secret recovery phrase into a webform. They typically do this by imitating the MetaMask UI and ask for it, and it is quite successful. Once they have your secrets, they’ll then sweep all your assets (or at least the most valuable ones). Also prevalent, you might be led to believe you have “airdropped” tokens that you can seemingly swap for a huge sum, but are required to go to a specific swap website controlled by the scammer. Once there, the UI shows you that you’ll be getting $xx,xxx after you confirm the swap - however, you’re then asked to sign a message in your wallet provider, which is calling approve() on your most valuable (in USD terms) token so that they can sweep it at a later date. As well as coming across our radar, they have got the attention of Coinbase Security Team.
Moral of the story? Don’t trust links. Verify.