How To Check Your Cardano Wallet For Scam Tokens

And what to do with them…

One common blockchain scam looks like this: the scammer sends an unsolicited Token or NFT to your wallet. If you have been playing around with DeFi, interacting with new projects, or grabbing new tokens at DripDropz.io, you might have dozens of silly tokens in your wallet – a couple of extras COULD blend right in!

Making it even trickier, the scam tokens will usually mimic a legitimate brand. They usually have some enticing language like “Reward token” or “Bonus Air Drop!” Most notably, they will also have a website URL printed somewhere on the image of the token or in the metadata. The linked website will be a convincing doppelganger of the brand they are mimicking - same colors and some of the same content! However, if you do some looking, you will find they are always copycats. For example, a scam token might have “lidonation.io” listed as the website, instead of the correct website, lidonation.com.

The scam website will invite you to connect your wallet to receive a reward, or something similar.

This, need I say it, is the point of danger. If you connect your wallet AND sign a transaction, you will inevitably be signing away the full contents of your wallet.

It should be noted that Cardano is built with security in mind, so you really have to go “all the way” in order to fall victim to this scam. Merely visiting the website is probably not harmful, although I’d suggest we not give them the web traffic. Even connecting your wallet isn’t inherently dangerous. You must SIGN a transaction in order to give them all your money – and if you READ THE TRANSACTION, you would be able to see that this is happening before you sign. Thus, the bottom line for avoiding disaster is the same for all scenarios, whether they start with a scam token or not: ALWAYS READ transactions before you sign them.

The clues described here are probably enough that you can start identifying scam tokens if they show up in your wallet. But, like the spam filters in your Web2 email inbox, Web3 service providers are also stepping up to the plate to help make blockchain more safe. If you view your wallet on Pool.pm, scam tokens are helpfully labeled! This is how I became aware of the scam tokens in my wallet.

pool-pm-scam-tokens

Pool.pm

If you haven’t used Pool.pm, there are a few ways to find your wallet there. Here are two paths to try:

From your wallet, copy your Stake Key. On Pool.pm, paste your stake key into the search to go straight to your wallet. If you know the ticker id of the pool you are staked to, enter that in the search. For example “LIDO.” Click on the matching search result to go to the pool page. At the top of the pool page, you will see the total amount of ada staked to that pool. Click on that number to open a page that shows ALL of the wallets staked to that pool. They are ordered from largest to smallest by ada value. Find the wallet with the amount that matches your wallet balance, and click it to open.

The first path above is obviously more direct, but I usually get to my wallet the second way … it only takes a few more seconds, but the journey itself can be interesting. As I click through the steps, I’ll be paying a quick visit to my stake pool, seeing the blocks they’ve minted recently. I will pause to survey my fellow stakers and see if any new whales have arrived. Since the internet was made for creeping, I might take a peek in their wallets too. (“Excuse me sir, I couldn’t help but notice you have some scam tokens in your wallet!”)

pool-pm-screenshot

Why me?

You might be wondering how or why you got these scam tokens; did you already do something wrong? And the answer is no, you haven’t done anything wrong – yet. A blockchain wallet is no more private than your email inbox. In fact, it’s a lot LESS private. As you noticed when you were surfing around Pool.pm, you can look inside ANY wallet. If they happen to have an $adahandle or other NFT that you recognize, you might even know whose wallet it is – without being any kind of blockchain wizard. Sending someone an NFT they didn’t ask for is really easy, so it’s a lot like the spam and scams that you have been dealing with in your email inbox for decades.

An interesting differentiator is that on Cardano, it’s relatively expensive for the scammers to engage in this kind of phishing expedition. Every NFT that is sent must have ~1 ada ATTACHED to it – plus transaction fees. If we all get educated and stop taking the bait, these scams could hopefully go out of fashion, since the bait is so pricey!

If you were reading carefully, you may have noticed something interesting in what I just said – the scam tokens in your wallet actually have some money attached to them…

Now what?

So if you find a scam token in your wallet, what should you do?

Option 1: Ignore it

The scam tokens in your wallet can’t do anything by themselves. They don’t give the scammer a portal into your wallet, and no super hacker can drain your wallet without you participating in the transaction.

However, I’m inclined to get rid of them. I’d rather just see my own familiar tokens and NFTs when I look in my wallet, not scams. Also, since I know that other people might sometimes look at my wallet, leaving the scams in there is like giving them free ad space on my wall.

Option 2: Unlock the ada!

Getting rid of scam tokens has the first benefit of getting it out of your wallet, and the second benefit of unlocking the ada that was attached to them!

The tip that I heard and tried this week was to send the scam tokens to my CEX (Centralized Exchange) wallet. I use Coinbase; I have heard that this works with Binance as well. What you do is simply bundle all your scam tokens into one transaction, and send them to your CEX wallet. You’ll have to include some minimum amount of ada in the transaction as well, but since you are sending it to a wallet you own, it’s still your money. The only money you will be “spending” on this process is the transaction fee, which will be less than 1 ada. When I did it, I sent 7 scam tokens along with 2 ada. After the transaction was processed and UTXOs were sorted, almost 6 ada was returned to my Cardano wallet. Thanks scammers!

pool-pm-screenshot

I sent 2 ada plus 0.18 ada tx fees to my Coinbase account, along with 7 scam tokens. The 2 ada and the scam tokens were sent to Coinbase. 5.8 ada that was released from the scam tokens was returned to my Cardano Wallet.

Burn wallets as a service?

On social media feeds and posts discussing this topic, you will see people posting the addresses of other “Burn Wallets” that you can send your scam tokens to. On Cardano, you cannot simply “burn” a token unless you are the owner of the token with the appropriate minting/burning policy and token keys… So these wallets won’t really burn anything, but you can think of them like public trash cans being offered to contain the garbage. They are often posted with an $adahandle wallet address, making them easy to use and remember.

If you don’t have a CEX account or don’t want to use it for this, you can certainly use one of these. The ada that is released from the scam tokens will be returned to your wallet, same as if you sent it to a CEX. However, you will also be sending the minimum ada amount to a third party wallet, and you won’t get it back. For this reason, my quibble with these “services” is that many are not entirely up-front about the fact that they stand to benefit from it. If hundreds of users send in their scam tokens, the minimum ada that comes with each transaction will add up to real money!

I have also seen some offerings where they are upfront about the money aspect, and claim that all proceeds go to a charity or other good purpose. I appreciate that they are being transparent about the money, but more follow up would be required to understand and audit whether the money is being used for the intended purpose. If you see a garbage wallet being offered by a community member you know and trust, or for a cause you want to support, I think it’s fine to use it since the amount of ada you would be “donating” is minimal in any case. It’s just worth being aware that these are not necessarily a totally selfless public service, and you might want to be conscious of who you are sending money to.

Conclusion

“Who is going to believe a con artist? Everyone, if she is good.” –Andy Griffith

The rules of engagement are the same for crypto as they are with other kinds of money: You generally can’t get something for nothing. If it seems too good to be true, it probably is… etcetera.

Last but not least: learn how to carefully read every transaction before you sign it!

“An investment in knowledge pays the best interest” - Benjamin Franklin

Thanks go to Pete at the Learn Cardano Podcast https://learncardano.io/ and on X @astroboysoup for surfacing this tip! Thank to @Smaugpool for the endlessly useful https://pool.pm/ tool!

Get more articles like this in your inbox

Was the article useful?

Or leave comment

No comments yet…

close

Playlist

  • EP2: epoch_length

    Authored by: Darlington Kofa

    3m 24s
    Darlington Kofa
  • EP1: 'd' parameter

    Authored by: Darlington Kofa

    4m 3s
    Darlington Kofa
  • EP3: key_deposit

    Authored by: Darlington Kofa

    3m 48s
    Darlington Kofa
  • EP4: epoch_no

    Authored by: Darlington Kofa

    2m 16s
    Darlington Kofa
  • EP5: max_block_size

    Authored by: Darlington Kofa

    3m 14s
    Darlington Kofa
  • EP6: pool_deposit

    Authored by: Darlington Kofa

    3m 19s
    Darlington Kofa
  • EP7: max_tx_size

    Authored by: Darlington Kofa

    4m 59s
    Darlington Kofa
0:00
/
~0:00