Welcome to Web3 Safety Education from the BACC Team
Welcome to the Bored Ape Cannabis Club!
Welcome to Web3 Safety from the BACC Team
Welcome to Web3 Safety from the BACC Team
We have documented a few safety giudelines to help all Web3 enthusiasts better enjoy the Web3 experience with confidence that your Crypto and NFT valuables are secure and free from the grasp of relentless and more and more creative scammers, tha just don't care who they scam, thier own grandmother, those in need, the less fortunate or the poor who are just trying to get by and maybe save a little.
Yes, some of this sounds a little extreme, but it's for a reason, as I said, these scammers are relentless and will at some point target you, you need to do all that you can to prevent them from accessing your Crypto/NFT valuables. There are some things you can do to make it very difficult for them, if it's too much work, they'll move on to their next target.
This document isn't all encompassing, but it's a solid guide to get you started on a safe Web3 experience. The onus as always however is on you to make smart decisions and always be wary.
TL;DR doesn't apply here, you NEED to read this!
Hello BACC family. Web3, PFP, NFT, and Crypto space brings us a whole host of investing opportunities, however it also brings with it relentless hackers and scammers keen to rob you of your valuables, without regard and without remorse, sadly, these people would steal from their own grandmother if they could make a buck, they are the lowest of the low, have no issues whatsoever taking whatever they can from the most needy or poor, so don’t think they won’t target you because they will and do.
There are several key things you can do to improve your security when buying and selling NFT’s. Don’t FOMO, don’t jump too quickly when you see something that looks too good to be true, because it is, remember, nothing worth anything is free. Take the time to follow this guide and it will help you to not get your valuable NFT’s, Crypto and of course your highly valuable BACC NFT’s from being stolen. There can never be a 100% guarantee, but follow this guide and you’ll greatly reduce the risk.
The Do’s and Don’ts of Links
To Mint NFT projects or buy NFT’s, you will be directed to a web page or a URL link for that specific project’s minting site, or secondary marketplaces like OpenSea or Magic Eden. Links in Web3 however, can be extremely dangerous. The problem is that scammers can create fake links that look a lot like the real mint link you are expecting. These links can trigger a signature or approval transaction that allows them to take Crypto or your NFT’s out of your wallet. These fake links can also compromise your entire computer and expose your wallets private keys to the scammer so they can take everything out of your wallet.
Note that Binance/BscScan has a Token Approval Checker, just provide your public address and see which sites you have approved, and remove any questionable sites, it will cost you a little BSC in gas, but worth it: Token Approvals | BscScan. ETH and Polygon/MATIC have their own token approval removals, I have not been able to find one for Solana/Phantom Wallet that I trust, although I have found a Solana token revoke app in GitHub, I need to dig into the code and test it before I can recommend it... MTF.
Because of this, you need to be extremely careful of any link you click on. Here are some basic rules to follow:
a) In Discord, turn off “Allow Direct Messages from Server Members” in your privacy settings as
this is where a lot of scammers will try to target you with fake mint sites. Also, be extremely
wary of any links to mint sites in Twitter, at first glance they might look legitimate, but
they are not… you might see theboredaapecannabisclub.com (note the ‘aape’, did you see that)? or
theboredapecannabisclubofficial.com (a lot of scammers add ‘Official’ to the URL) just like this
one did on OpenSea: Note that our OpenSea
link is https://opensea.io/collection/theboredapecannabisclub, an OpenSea clone is
using multiple links: https://opensea.io/collection/bored-ape-cannabis-club (with dashes)
and https://opensea.io/collection/thebored-ape-cannabis-club (thebored, no space) and of
course they are saying they are the Official site, THEY’RE NOT… also note that when you search,
the search returns ‘TheBored Ape Cannabis Club’ (no space between The and Bored again) and
another copy is using https://opensea.io/collection/bored-ape-cannabis-club (no ‘the’ and adding
the dashes). If you really pay attention, you begin to see how really creative these scammers
b) Project owners and Admins will NEVER DM you directly and ask you to click on a link to verify your assets or mint a special mint.
c) Projects NEVER have surprise or free mints or discounted mints outside of what has been scheduled (there are a lot of these on Twitter) and announced in the official channels. If you see something that does not match the official scheduled event, then it is a scam.
d) Only click on links in the #Official-Links or #Announcements channels on Discord. Never click on links in your DM’s general chat or from Twitter, Instagram or any other social media platforms.
e) Always closely inspect any URL’s that you are about to click on. If one single character looks off or there are double characters where there shouldn’t be, DO NOT click on it. It is your responsibility to DYOR on those links to make sure they are valid and match the project links that you are expecting.
f) Most links on social medial platforms like Twitter are highly dangerous. Scammers will try DM you on something like a competition, early access to mint, free mints or a special giveaway. It is important to note that almost all of these DM’s and their links are scams. Do NOT FOMO into these links!
g) Scammers always are watching general chat and will pretend to be someone trusted in the community like an admin and contact you after you ask a question or for help on something. Remember, never trust anyone reaching out to you in DM’s unless you know exactly what it is about and can verify the person’s identity and were expecting the DM.
3. Wallet Setup
So you now know what to do and what not to do with links, however there still may be times when you want to click on a link from a new project and mint an NFT you think is legitimate. Even links from legitimate discord server channels can be scams, so be careful. Often a whole project can be a scam or “Rug”. It can be hard to tell sometimes and some seriously legitimate looking sites can still be Rug Pulls. So, make sure you do a heap of research on a project and who the founders are before minting, do not FOMO! After you’ve done your research and are ready to mint, this is where wallet setup and security becomes super important. To be safe in Crypto you need multiple wallets for different purposes. If you follow these tips on setting up these wallets this will keep you safe in almost all cases and prevent your valuable NFT’s and Crypto from being stolen:
3.1 Wallet Basics:
3.1.1 Hot Wallets and Burner Wallets Hot or ‘Burner’ wallets are an effective way of limiting your risks when interacting with untrusted projects or new mints. Having a burner wallet is 100% essential in terms of setup so you definitely need at least one burner wallet to operate safely the Web3 space.
Setting up your ‘Burner’ wallet:
a) First and always… NEVER give out your wallet Seed Phrase to anyone EVER!!!
b) If you are going to mint from a new project website, particularly one you do not 100% trust, NEVER connect your wallet that contains your valuable NFT’s or Crypto holdings to this site.
c) To mint new projects, create a ‘hot’ or ‘burner’ wallet in MetaMask, Phantom or other wallet of choice. This is a MetaMask (for example) wallet installed on a separate device or in a different web browser and has its own separate Seed Phrase.
d) Example 1: If you have primary MetaMask wallet installed under your Chrome browser, download another web browser like Brave or Firefox and install the MetaMask Extension in that new browser. Make sure when creating the new ‘burner’ wallet that you set it up as a new wallet with it’s own separate seed phrase.
e) Example 2: If you have your primary MetaMask wallet working as an app in a phone, install MetaMask on another device like a laptop and set up this ‘burner’ wallet as a new wallet with it’s own separate seed phrase.
f) Do not create this ‘burner’ wallet as an additional account under the same MetaMask used for your primary wallet. A secondary account on the same MetaMask installation as your primary wallet can be recovered from the same seed phrase used by the primary account. So, if they hack the wallet in your accounts list, they can get at the others.
g) When minting a new project, always use the burner wallet. Only put enough ETH (or other Crypto) in this burner wallet for the mint you are doing. If for some reason the wallet is compromised, then your losses are limited to the small amount of ETH in the wallet.
a) Hardware wallets story your private keys off of your computer on a physical device and stop
hackers from gaining access to these keys if your computer is hacked. Get at least one Ledger
that you can use as a safe place to store your valuables. A Ledger Nano S Plus is perfect for
b) When buying a Ledger, only order from Ledger.com. Never order a ledger from Amazon or a third party website as these may have been opened and someone else may have the Ledger’s private key already. Always check that the Ledger you received is still wrapped in plastic and unopened. When you setup the Ledger for the first time, make sure in Ledger Live that the Ledger wallet passes the Genuine Ledger Check.
c) Once you have setup this wallet, NEVER mint or connect to untrusted Web3 apps or websites from your Ledger/Trezor. Even though your private keys are stored offline, if you approve a transaction from a fake mint link or bad project, they will still have access to remove valuables from you Ledger. SO, hardware wallets are not 100% guaranteed from being hacked, they just make it harder for people to get your private keys. Ultimately, it is up to you to not click on bad links, that is why we have the burner wallet mentioned above. Any mints and any new or untrusted contract interactions should be done from that burner wallet, not your Ledger.
d) As soon as you mint a NFT that has value, and you are sure it is from a safe project, you should move the NFT from your burner wallet to your trusted/hardware wallet.
e) If you cannot afford a Ledger or Trezor, you should at least setup a new MetaMask wallet as a trusted wallet with it’s own seed phrase. However, this is not nearly as secure as a hardware wallet, as the private keys for this wallet are stored on your computer. So, hackers can potentially get your private keys if they can hack your pc or phone. I Highly recommend getting a Ledger Nano S Plus.
f) Even trusted projects can be compromised, so try to only perform basic fiunctions from your Ledger hardware wallet like selling NFT’s on OpenSea or staking from a trusted project like BACC. Some people even like to have an ‘Ultra Cold’ hardware wallet that never connects to a smart contract or marketplace. You can use this ultra-cold wallet to store Crypto or NFT’s you want to hold for long periods of time or are unlikely to sell in the short term.
g) To mitigate any risk, if you have lots of valuable NFT’s and Crypto, it is good to use multiple Ledger wallets and split your assets over several different hardware wallets. An option is to put Crypto on one wallet and NFT’s on another. If you have lots of valuable NFT projects, you can even dedicate different Ledger wallets to specific NFT projects, for example, you could have a dedicated Ledger wallet for all of your BACC NFT’s.
4. Password Security Management
As some final advice, always make sure your phone computer and wallets like your MetaMask or Phantom auto-lock after a few minutes of inactivity. Also make sure any passwords on your phone or computer are strong passwords with upper/lowercase combinations including numbers and special characters. This will make it harder to break into your device or wallet. If you have trouble remembering all of these passwords like I do, save them in a password manager on your phone or download an encryption password manager like 1Password or BitWarden to save your computer passwords in. Also, try not to use the same password in multiple locations.
5. Final Thoughts
This comed from our year's of experience and trial and error, and yes, full disclosure, we have been scammed and rug pulled before, live and learn! I hope this helps people with the basics on how to stay safe in the Web 3 world and allows you to make smart decisions to mint and hold on to your hard-won gains. Remember, that not taking any action on this is basically like leaving they keys in the car and the doors unlocked, and asking someone to come and try to steal your car. Education is the key in this space to surviving and thriving in Web3. If you don’t understand anything in this document, please reach out to one of the admins or knowledgeable members in BACC and ask questions to make sure you do understand, it is critical to your survival in Web3. There is no such thing as a bad question, other than the one that goes unasked, and it might just save you making a mistake that costs you everything.
All this sounds very grim, because it is, as I said earlier, there are scammers out there with no care about anyone other than themselves, they would cold heartedly steal their grandmother’s last dime without blinking and walk away happy! Sick as that sounds, it happens, they are out there and they will target you at some point.
Remember to come in and actively participate in our VC’s, Twitter Spaces and Discord channels to learn from all the great community members we have.
All the best,
The BACC Team.