Article by d0wnlore
If you have used X to participate in the Crypto Twitter (CT) community for any length of time, you have likely seen scams involving airdrops, MetaMask support, MEV bots, and more. It certainly seems as though crypto gets inundated with the lion’s share of scams on the platform.
Much of the reason our community is such an attractive target for scammers is the lack of security controls, but a large part is users’ self-control. In many cases we’re the ones with custody of our assets, so their safety is often determined by our own security mindset.
Our industry is working hard to address security through technologies like multi-sigs, transaction simulation, and drainer-site detection, but we can also protect our assets today by addressing personal security practices.
Although it does happen, you rarely hear about information security (InfoSec) practitioners in our community falling for these scams. But why is that? As someone who has done InfoSec work both in TradFi and crypto for the past few years, I attribute it to a security mindset that rarely turns off, helping InfoSec practitioners shrug off attempts at digital theft.
Nobody is born to be an InfoSec savant or have god-like hacking skills. These skills can be developed by anyone willing to put in the time and effort. There are four important skills that those working in this field possess and that you should consider adopting to keep your digital assets safe:
Pattern Matching
Preparation
Skepticism
Second-order Thinking
Pattern Matching
Intuit their flaws. Connect the dots.
Pattern matching is the ability to pick up subtle signals from unorganized data or malicious content. It enables you to apply a mental filter that catches the tell-tale signs of a scam that the operators hope you will miss.
As you gain exposure to both legitimate and malicious crypto content, you build up the street smarts similar to an InfoSec practitioner, enabling you to intuitively suss out scams rather than relying on others or tools (although these can certainly be useful too).
Here are some patterns to watch out for:
Scammers frequently use fake X accounts to post crypto scams. They rely on people not noticing small changes to the user name and will often post scam links in a reply thread to the legitimate account, as happened in the example below.
You can see there are subtle differences; always check the details and cross reference with other sources before you interact with any account posting such links.
FOMO energy will be used against you, such as saying that an airdrop can only be claimed in the next hour or that most of the airdrop has already been claimed. Anything posted with a strong sense of urgency should be treated as suspicious and probably ignored.
Using top-level domains (TLDs) that are not usually used by legitimate projects —scam projects are more likely to use TLDs like .claim, .gift, .ru, etc.
Keep It Real: We live in a time when the security cat and mouse game is rapidly progressing, making the cues you have learned less useful and introducing errors into your analysis. Try to pay attention to when your old patterns are no longer helpful.
Preparation
Wield various tools. Expect the unexpected.
Preparation strengthens your ability to handle life’s curve balls. It enables you to creatively problem solve to reach the optimal end. The tools you prepare can be reused during future events, making you more efficient and ready for anything.
InfoSec practitioners are like pack rats when it comes to preparing for possible engagements. They collect information from data breaches, scripts to use when attacking or defending a target, and other digital artifacts. They also try to identify ways their existing tools can help them better prepare, such as taking advantage of hidden features in a security tool that most people tend to ignore.
Identify areas in your daily tasks that you can use as a resource to verify information and improve the health of your wallets:
Follow established X accounts so you can use the 'Followers you know' feature to quickly tell if an X account with a new, amazing offer is likely spoofing another account.
Bookmark the dApps you frequently use so you know the link is safe, and use a variety of sources (X accounts, Discord channels, non-sponsored search results) to verify the dApp URL you should be bookmarking.
Set and follow rules for how and when you use your wallets, such as not signing any transactions with high-value wallets if it is late at night or you are distracted.
Keep It Real: Over-zealous preparation may encourage an unhealthy and time-consuming obsession with hoarding tools and techniques for very unlikely situations.
Skepticism
Shrug off rhetoric. Put claims through trial.
Skepticism smooths out the 'we’re-so-back' peaks and 'it’s-so-over' troughs when offers or ideas are presented to you. It enables you to critically examine claims and apply tests to verify or disprove them, irrespective of marketing hype or peer pressure.
When looking at the security of smart contracts, many will assume that a recently audited smart contract is safe , even if there have been minor changes in important code paths since the last audit. InfoSec practitioners would be skeptical of this and assume that until a new audit has been done that tests these minor changes, the contract is best considered unaudited.
Indeed, there have been many cases where supposedly minor changes to an upgradable smart contract or protocol lead to an eventual hack so it’s important to test claims made by a protocol or party if any variables change or were unknown until now.
Keep It Real: Skepticism can lead you down a dark road of pessimism, making you habitually disregard any opportunities before you or just make you intolerable to be around at parties.
Second-Order Thinking
Foresee the long tail. Avoid ruinous paths.
Second-order thinking helps you map out the potential consequences of present choices. It enables you to conceptualize the forks in the road, and the forks beyond those, and so on, helping you avoid dead ends that could lead you to mediocrity or ruin.
By thinking this way you become more aware of the risks and rewards that you may have to later confront. InfoSec practitioners routinely engage in this type of thinking, whether it’s to fully audit a smart contract or to reach an optimal level of privacy and security.
Let’s use a simple example of deciding whether to claim an unfamiliar token airdrop via a link you just saw posted on X. Once you weigh up the first and second order consequences, you may decide it’s not worth the risk:
Reward: Gain tokens from the airdrop
Reward: Can use tokens to wield governance powers
Reward: Can sell tokens at a profit
Reward: Can stake tokens to qualify for other airdrops
Risk: May have to fulfill further criteria to claim the airdrop
Reward: Gain tokens from the airdrop
Reward: Can use these tokens to wield governance powers or sell at a profit
Risk: Spend more time to fulfill the criteria than the value of the tokens are actually worth
Risk: Lose tokens from the airdrop that turned out to be a scam
Reward: Gain some humble experience from having been scammed
Risk: You may lose time having to ask the public or CEXs to help you recover or freeze the tokens
Reward: Receive some of your tokens back
Risk: Lose more tokens, and time, to a token recovery service scam
Keep It Real: Second-order thinking may overwhelm your mind in analysis paralysis after asking yourself “and then what?” too many times.
Put Those Skills to Use
While the focus here is using these InfoSec skills to protect your digital assets, they can also guide your approach in other areas of your life.
Second-order thinking is likely already familiar to investors or entrepreneurs, as this is a mental model they often use to help make key decisions.
Scams and fake news are growing outside of our crypto village as well. Having a baseline level of skepticism can help you shrug off attempts at stealing your fiat wealth or see through weak arguments made in traditional or social media.
Author Bio
d0wnlore is a founding member of BanklessDAO's InfoSec Team and operates Protspec,a security UX studio building software and spreading education to help protect cryptonatives.
Editor Bios
trewkat is a writer, editor, and designer interested in learning about web3, with a particular focus communicating this knowledge to others via IndyPen CryptoMedia.
Hiro Kennelly is a writer and cofounder of IndyPen CryptoMedia. He loves people, Moloch, and degenerative cryptoeconomics.
Designer Bio
trewkat is a writer, editor, and designer interested in learning about web3, with a particular focus communicating this knowledge to others via IndyPen CryptoMedia.
This post does not contain financial advice, only educational information. By reading this article, you agree and affirm the above, as well as that you are not being solicited to make a financial decision, and that you in no way are receiving any fiduciary projection, promise, or tacit inference of your ability to achieve financial gains.
IndyPen CryptoMedia is open to submissions for publication. We’d love to read your work, so please submit your article for consideration!
