Skip to main content

How to Protect Yourself from Scams

Scams and hacks are an unfortunate reality of the crypto industry. It's important to stay alert and protect yourself and your non-refundable crypto assets from scammers and hackers. If you ever feel you have been the target of such an attempt or are currently targeted, please contact Polkadot Support.

DISCLAIMER: Key Security​

One of the most attractive targets for malicious actors are your wallet secret seeds or the optionally exported backup JSON file. Keep them offline in a secure and private location. If you share these with anyone, they can access your account and execute any transaction.

info

Visit this support article for more information about key security.

Essential Rules​

  1. Never ever share your seed phrase or backup JSON file with anyone. If you do that, you hand over all your funds, so don’t do it!
  2. Be careful with extensions/applications and typing in recovery seeds or importing backup JSON files in there, they could be malicious or pretend to be a well-known wallet.
  3. Do not trust anyone online. Malicious actors often pretend to be someone else to gain your trust.
  4. If you are scammed, there is likely nothing that can be done to recover your funds. If a scammer gets a hold of your seed phrase, they can transfer all your funds to their account in seconds.
  5. If it sounds too good to be true, it probably is. People, especially celebrities, do not give away crypto for free. Even if they wanted to, they could just ask for your address as opposed to having you send them tokens.
  6. Scams are absolutely rife in this space. It is easy and cheap to set a scam up, and hard to shut one down. Therefore, the user must be diligent to avoid such scams.
  7. If you can, always try to verify new information that you see through an official source, such as Polkadot network's official blog or Polkadot's Official Support. Often, scammers will fake a websites or blog posts, but if you validate such information through a secondary source, you will reduce the chances of being scammed.

Some Common Types of Scams​

  • Private messages sent to you over Telegram, X/Twitter, Discord, and other social media - admins or employees will never contact you.
  • "Giveaways" advertising that you "send us some DOT/KSM, we'll send you double back".
  • Sites where you must enter your seed phrase to "sync" your account, claim tokens, unblock transactions, etc.
  • Emails asking for DOT/KSM private keys/seeds/etc., posing as a member of any of our teams.
  • Scammers will take official videos and add "giveaway" text around them to look like Polkadot, Kusama, Web3 Foundation, Parity, or another well-known entity supporting the giveaway.
  • Many scammers will create nearly perfect imitations of sites - always triple-check the URL.
  • People are offering to help you stake or get rewards.
  • People responding to publicly asked questions in a private chat.
  • Advertisements pointing to imitations of sites asking you to enter your seed words.

These are just some of the types of scams. Scammers are inventing new ones all the time. In general, do not trust anyone messaging you that you did not message yourself, and be wary of anyone attempting to help you or offer you a "deal".

Scammers will often imitate the usernames, profile pictures, etc., of well-known members of the community. Often the differences in these accounts will be minor, such as joe_sm1th or jo_smith instead of joe_smith. Sometimes, the display name will be identical if uniqueness is not enforced; check over a 2nd (ideally verifiable) communication channel to be sure you are talking to the right person.

Scammers often make it seem like the "deal" is only available for a limited time. Do not be tricked by this, it is always better to confirm than to risk losing everything.

Admins will never contact you directly​

If you received a message from an admin over Telegram, ignore it. Our team members will never personally message you. Our social media accounts are posted on our website, and our team will announce any new ones. We will never offer to sell you DOT at a discount, air-drop "rewards", or message you privately to help with a problem you posted publicly. Our social media and community pages can be found here.

Keep your data secure​

You should never share your seed phrase, passwords, private keys, or any other personal data with anyone. If you are concerned a wallet could be fake, please check out our list of well-known wallets.

Some simple things that you can do to keep your assets and information secure from hackers:

  • Keep your seed phrase only on paper, in a secret and secure location.
  • DO NOT keep your seed phrase on any electronic medium connected to the internet, e.g., cloud services, password managers, your daily computer, etc.
  • Never enter your seed or mnemonic phrase directly into a website.
  • Your seed phrase is a backup in case you lose access to your wallet. Use it only for that purpose and only in wallets you've used before and trust.
  • Your passwords should be strong and unique. It is recommended that you use a password manager app to create and store your passwords. Use fido2 (hardware dongles) for best security, not google authenticator/OTP.
  • Keep your computer free of malware. Although an antivirus can be of great help, it's not a panacea. Safe browsing and downloading is the only way to be sure your computer is clean. Beware of unvetted (not security-scanned) software, such as extensions, 3rd party software, and registries/repositories that come in many forms and shapes.
  • Store your assets in cold storage, like a hardware wallet or Polkadot Vault.

Always check the source​

For any potential scam, always do a background check on the source, i.e., look at any username, email, YouTube channel name, URL, etc. If something seems fishy, that's because it likely is. Never enter any personal data if you feel the source could be a scam. Feel free to check with Polkadot's official support.

Check twice before sending DOT/KSM​

A good practice to consider is to verify the address to which you are sending crypto. You shouldn't be sending your assets to an account you do not know or are not familiar with. Crypto is a decentralized space with no room for errors.

Install the Polkadot-JS extension​

The extension uses crowd-sourced anti-phishing measures to automatically prevent your browser from displaying known phishing or scam sites. They will be blocked upon loading, helping to prevent you from visiting these sites and thus falling for them.

Our official sites​

You can use the following list of our official domains to make sure that you're visiting an official site:

Of course, many projects building on Polkadot and Kusama use similar names. If, however, a site poses as Polkadot, Kusama, Web3 Foundation, or Parity on a domain not listed above, then it's most likely a scam.

Besides those, there are also polkadot.js.org and dotapps.io that host our web wallet and other tools.

I Got Scammed - What Can I Do?​

In the unfortunate case of having fallen for a scam, nothing can likely be done to recover your funds. However, you can still receive help and support. The Polkadot Support Team stands ready to help you in this difficult situation. Please check this Support Article for steps you should take to prevent further loss and contact Polkadot Support from the same page.