Lee Martin

Posted on Jan 03, 2022Read on Mirror.xyz

All Aboard Ha Ha Ha Ha… Ah Fuck, Did I Just Get Scammed? Hard Lessons from CryptoBatz

After a month away from work, I kicked off this new year by replying to some snoozed emails, scheduling some yearly doctor checkups, paying my estimated taxes, and outlining a few things I’d like to do this month. It was a solid first cup of coffee. Upon completion, I looked down at Discord and noticed I had received a DM from CryptoBatz informing me that their Ozzy Osbourne NFT project was doing an early mint. 🦇 As a fan of Ozzy and a continuation of my web3 research, I bookmarked this campaign last month as one of interest so I quickly jumped at the opportunity to mint one of these batz. I headed over to the provided link and noticed that 550 of 666 batz were already pre minted. “Just in time,” I thought. I connected my wallet, provided the funds for a bat, and waited patiently to see which one I received.

And that’s when it dawned on me. I was just scammed.

Life’s a bitter shame.

Let’s rewind a bit. CryptoBatz was announced last month and has signed up thousands of interested users. They are offering 9666 blockchain pixel bats which were creatively directed by Ozzy Osbourne himself. Sutter Systems has done a great job of cultivating this popup community and they have achieved lots of hype for this offering. What they have not provided up to this point is a solid date and time of when the minting will take place. Instead, they have stated that this information would come directly from their communication channels. They also have told users to be wary of Discord DM scams and to disable DMs them altogether.

I am still, very much, a casual web3 participant and user of Discord. In the back of my mind, I knew I should be wary of DMs but for whatever reason, I easily fell for this well-produced scam this morning. Will I fall for another DM scam? Probably not. It’s an expensive mistake. Is attempting to warn users about scams and telling them to disable DMs on Discord a good enough solution? I don’t think so. How can Discord, the product we’re creating communities around, be one enabled feature away from easily scamming casual users? And what can we do to prevent this?

There is so much hype and urgency around NFT projects like CryptoBatz. This is due to the general perception of worth that surrounds web3. If 25k users are interested in a bat but only 10k are available, that must be worth something, right? I’ll let you contemplate that on your own time. The large issue I see here is that CryptoBatz has built up the hype around its offering but has not provided a clear timeline of minting. It is this moment of increased awareness and interest that is ripe for scamming. All a scammer needs to do is register a domain which is very similar to your campaign domain and start sending DMs to users who have signed up for your Discord community. It is so fucking simple.

So, what can we do?

Well, for one, I would strongly recommend holding off on your campaign announcement until you have a rough idea of when the mint will take place. If a user has a general future timeframe in mind, I think it will help them better process these potential scams. Bonus points if your mint happens closer to the point of announcement.

I won’t share the domain to the actual scam here but “cryptobatz” was included in the URL. I’ll just say it was one letter off of the official cryptobatz.com website. If your campaign is increasing in popularity, I would suggest registering as many of the top level domains as you can to protect your campaign from spoofing.

Educating users on the shortcomings of the Discord DM system is something but that solution simply doesn’t scale. The larger your NFT campaign hype becomes, the more likely it will become the target of scammers and some of your potential holders will become the victim of scams instead. Looking closely at the scam I fell for, I know hundreds of other users did also. If the Discord DM feature is the main vehicle for web3 scams, I think we need to ask ourselves why the hell we’re using this product to manage our communities. I know if I was managing the NFT campaign of a large artist like Ozzy, I would be very wary of this reality.

If an NFT campaign chooses to build hype and keep their mint date cryptic, I think it is their responsibility to immediately inform interested users of scams. I also think this communication must extend beyond that of a Discord announcement for those users who may only casually use that app. In reality, it is probably wise to get an email for all of these interested users anyway.

Finally, I do not think it is out of the question to set aside a small portion of the NFTs for users who have been scammed. Similar to a bug bounty, I think users who provide immediate knowledge and details of a scam should be rewarded. This will prevent future users from falling for the scam and instead offer them a financial opportunity to participate in the minting.

Crazy, but that’s how it goes.

Recommended Reading