7 Basic Rules of Aptos Crypto Security

Every few days, we get chat messages from Pontem users who got scammed or lost money. 99% of such situations can be easily avoided if you follow a few simple rules. Write them down, learn them by heart – and hopefully you’ll never fall victim yourself.

Rule1: Never give your seed phrase to ANYONE

Scammers lurk in any crypto project’s community. They use the same nicknames and avatars as the real moderators or team members, and will do anything they can to trick you into sharing your seed phrase or private key. Our admins ban dozens of these fake admins every day!

The most common scheme is to DM you after you message in the support chat. Someone with the same name and profile picture as a team member, or a similar name like“Pontem Network Support'' will reach out and offer to help you solve the issue. THIS IS A SCAM.

Whatever that person asks you to do, (an “authentication”, for example) don’t do it. Don’t click on any links and don’t download any files they send you.

Team members/admins never DM community members.

Another real example from Pontem chat: a user reported an issue with displaying NFTs in the wallet. A scammer immediately contacted them and suggested that they do a ‘temporary validation’ in a separate chat. Luckily, the user didn’t fall for this.

Also, don’t trust “well-meaning” users who sympathize with your problem and suggest that you write to the same person who had supposedly helped them to resolve the same problem. It’s just another social engineering technique.

EXTREMELY IMPORTANT

Make sure to save your secret phrase (seed, mnemonic) when you create a wallet. If you lose access to your device, you'll need the seed to restore the wallet. 

Pontem is a non-custodial wallet, so we won't be able to help you if you lose the secret phrase. You are the only one responsible for your mnemonic and private key. So write it down on a piece of paper, save them on a USB stick, anything - but do save it!

Rule 2: Beware of phishing

Phishing is when a scammer pretends to be a legitimate institution in order to access your sensitive data. This often occurs through the use of fake URLs, which trick victimes by looking legitimate.

1. If a website or dApp promises “high yields” or “DeFi investments” and asks you to enter your private key or mnemonic, it’s a scam. No legitimate dApp or DeFi protocol needs to know your seed phrase, ever. As soon as you enter it, your funds will be gone.

2. Don’t click on sponsored results (ads) in Google, because they often lead to phishing sites.

Scammers often create a website with a nearly identical address as that of a real wallet or protocol, then run ads for it to make it appear at the top of Google Search results. In this example, the fake site is phanton.app, while the real one is phantom.app - a difference of just one letter.

Scammers hope that users will click on the sponsored result and try to import an existing wallet using their seed phrase - all without checking the address.

Another one: “tyniman” instead of “tinyman” in the address. Credit: @angry_penguins1

Always double-check that the address is correct - down to the  letter. Watch out for tricks like substituting an “l” for “i”. Better still, use the link on the project’s official Twitter page or Discord to access the website.

4) Learn to recognize phishing emails

The real team of Pontem, MetaMask, or another major project will never send you an email saying that your funds are at risk, that you need to pass a KYC, etc. Those are phishers trying to manipulate you into entering your seed phrase.

Think about it: we don’t collect your email address when you create a Pontem wallet, so how would we be able to send you an email? Please report such scam emails to the project team.

Rule 3: Treat any airdrop offer as a probable scam

Fake airdrops are likely the most common crypto scam, because who doesn’t like free money? A fake airdrop can even have a website that looks completely legit, with an address that almost matches that of the project’s real site.

You’ll be prompted to sign a transaction to “claim” the airdrop or “verify” the wallet. But what you’ll really be signing is a series of transactions to send your crypto to the scammer’s wallet. In the best case scenario, you’ll only lose the money spent on the mint.

Here’s a recent example of a scam “Mystery Box” mint impersonating the Topaz marketplace. The design has been copied from the real Topaz, but the address of the scam site is different: apt-topaz.com instead of topaz.so.

Even experienced investors and NFT collectors often fall for it: for example, Moonbirds founder Kevin Rose recently lost 40 NFTs worth $1 million. He signed a transaction that was supposed to claim an NFT but instead drained all the NFTs and tokens from the wallet.

By the way, just because an airdrop is posted on an official Twitter page or in the official Discord/Telegram doesn’t mean it’s real! Scammers often exploit projects’ social media accounts to post malicious links. (see Rule 5)Keep in mind:

• There is no Pontem token yet, so there is  no Pontem or PONT token airdrop.
• Aptos isn’t running any APT airdrops.
• There is no LayerZero token  or LayerZero airdrop.
• Any NFT mints we may do will be on Topaz, so no “Pontem NFT airdrops”, either.
• A token airdrop that happens on the wrong chain is almost guaranteed to be a scam. The same goes for IDOs. Scammers particularly like to launch “IDOs” and “airdrops” on BNB Chain (BSC), because it’s easy and cheap. There are already some fake PONT tokens on BSC, and one of them is even listed on CoinMarketCap.
• Anyone promoting an Aptos, Pontem, or LayerZero airdrop is a scammer! Unfortunately, Pontem’s moderators constantly have to ban scammers that join our Telegram and Discord to promote fake APT or Pontem airdrops. They even disguise themselves as bots and post “automatic” messages with malicious airdrop links.

In case of any doubts, post a screenshot in the official Pontem Telegram chat: https://t.me/pontemnetworkchat. Our moderators will tell you if a group or profile is real or a scammer.

Rule 4: beware of fake Telegram/Discord/Twitter accounts and groups

Only join Telegram and Discord groups using the official links on a project’s website, like so:

Don’t search for the project’s name in Telegram or Twitter. Phishers constantly create groups that copy the official design and have very similar names - for example, “pontemmetworkchat” or “PontemNetworkCommunity” instead of pontemnetworkchat.

Such fake groups usually try to lure users to disclose their seed (mnemonic) or private key, or to join malicious “airdrops”. They can have thousands of users (mostly bots), so a group’s size isn’t a sign of legitimacy, either.

Rule 5: remember that an official account can get hacked

We’ve already touched on this, but let us stress this again: a project’s Twitter, Discord, or Telegram account can get hacked and post scam messages. They also use social engineering, creating a sense of urgency to make people FOMO in without checking everything.

For example, the same scammer recently managed to hack the official Twitter pages of Azuki, Chimpers, and Mutant Hounds -- all popular NFT projects. In the case of Azuki, the fraudster posted a link to a fake website where users could ‘buy virtual land’ associated with Azuki. Needless to say, as soon as users approved the “mint” transaction in MetaMask, their crypto and NFTs disappeared.

In general, when dealing with crypto airdrops, triple-check everything before claiming. Is the airdrop confirmed on the official website, Discord, Twitter, and Telegram? Has anybody reported an official account getting hacked? If there’s even a shade of doubt, don’t touch it.

Rule 6: NEVER download .exe files from untrusted sources

This is a classic way to install a virus on your computer. In crypto, there are trojan viruses that run a deep search on your machine looking for a MetaMask seed phrase, password, or private key, then use it to drain the wallet and sell your NFTs,  all within minutes. You don’t even need to click on the .exe file to run it! Just downloading it is enough.

Criminals use lots of phishing techniques to make you download infected .exe files. For example, they often hack people’s emails and start sending out emails with a virus to all their contacts. Or they can pose as potential clients if you are a freelancer.

That’s what happened to the digital artist Josh Chavez. He was approached by a “musician” (actually a phisher) over Instagram DMs, who claimed to need cover art for a song. The scammer sent Chavez the song MP3 by email, accompanied by a link to a PDF file with background information. Note that  the “PDF” actually has a  .exe file type, which Chavez realized only after downloading it. The file self-executed, and Chavez’ wallet was soon empty.

Rule 7: Be careful with  browser extensions and wallet apps

3) Wallets get faked, too!

Fake wallets are sadly all too common, as well. For example, sincewhen the community is anticipating the release of an aAndroid iOS Pontem Walletwallet app for Android, scammers can quickly cooked up a fake that will steal your seed phrase as soon as you try to import a wallet.

Here is an example of a fake Pontem Wallet for Android that was reported by a user on Telegram.

If you want to know if a wallet is available for mobile, don’t use direct app store search or Google search, because you’ll get fakes. Ask in the official group or browse the official Twitter for announcements. If you come upon a fake app, do the right thing and- report it!

Rule 8: don’t use a compromised wallet

If you realize that you’ve interacted with a scam site or a hacked protocol, immediately create a new wallet with a different seed phrase. Then move all the assets (including NFTs) from the old one to the new one. DO NOT use the compromised wallet for anything.

Have you become a victim of a scam that isn’t described here? Then please let us know on Telegram, Discord, or Twitter, and we’ll add your report to this guide on Aptos security. As always,, please share your concerns about potential scams with the Pontem team.  We are  here to help!