Welcome to the Block & Mortar newsletter! Every week, I bring you the top stories and my analysis on where business meets web3: blockchain, cryptocurrencies, NFTs, and metaverse. Brought to you by Q McCallum.

Reading online? Subscribe to get this in your inbox whenever it's published.

The crypto security arms race

The web3 world has no shortage of crime stories. Hackers targeted the Instagram account and Discord server for the Bored Ape Yacht Club collection in order to send tainted links to NFT holders. Seth Green lost some NFTs to a phishing scam (but later got them back).  Someone made off with OpenSea’s list of customer e-mail addresses, probably with the intent to target the NFT marketplace’s customers for scams. And that’s just from the past few weeks.

What makes crypto such fertile ground for thefts?  For one, there’s the asymmetric payoff to the criminals.  Just compare “work 40+ hours a week in a typical job to earn a livable wage” to “spend a few hours scamming people for six-figure entries in a blockchain ledger.”  You can make tons of money with this flavor of (important: nonviolent) crime. And unlike some high-paying careers, you’ll actually have the time to enjoy spending it.

Two, there’s the end-user side of things.  Crypto UI/UX is sorely lacking, which is doubly painful because managing token assets requires a lot of fiddly technical know-how.  It’s easy to make mistakes because there are so few safeguards. And there’s no official protocol for reversing a transaction. Mistakes are final.

Three, there’s an arms race between the would-be thieves and their prospective victims.  Every time people sort out how to handle a scam, the criminals are poking around for the next weakness to exploit.  

(If this sounds like IT security, counterespionage, counterinsurgency, and every other “stop the bad guys” job, you’re on the right track.  This is hard work, for which the sole reward is “you get to keep your belongings.”)

All that is to say: while there’s no 100% airtight guarantee of security in crypto, there are some general practices that should steer you clear of most trouble.  This Twitter thread by @samczsun explores the architecture of a scam that someone tried to pull on him.  The first tweet drives home just how quickly the would-be thieves could have made off with his tokens:

1/ Today, someone tried to hack me with a crypto stealer, so I guess I’ve finally made it

Fortunately, they weren’t successful, but all it would’ve taken was three clicks. Read on to learn about how the attack works, how to protect yourself, and some basic malware analysis🕵️

The thread gets a bit technical on how to identify the malware. Certainly review that if you are so inclined. But the first few tweets, on how to avoid getting scammed, are required reading.  In short: pay close attention to any requests, and don’t rush.

Developing your NFT sales muscle

Releasing an NFT collection is akin to a startup’s IPO: you need to raise public awareness and nurture interest in buying.  And while the first day’s activity is no guarantee of future performance, it doesn’t hurt to have a strong start.  So getting this right is a Big Deal™.

IPOs have a fairly standard template – shaped, in no small part, by banking norms and securities laws – but the NFT space is still finding its way.  Collections have learned to borrow techniques from the sales world, though, which is a good start.  Take the number of celebrity endorsements as an example.  And Doodles recently took that to the next level in appointing Pharrell Williams as its Chief Brand Officer.

Another important sales technique is to paint a future picture.  “Today, this is just an empty lot; but in a few months, it could be your vibrant new store location."  Notice how this is more emotional than practical, more storytelling rather than pure fact-sharing.  And a key element of good storytelling is… anticipation.  You want your audience constantly asking: “OK, and what next?”  Eventually that belief in the (possible, imagined) future outcome leads them to exchange their cash for your product. 

This Twitter thread reviews a number of high-profile NFT releases and how they used anticipation, rather than utility, to build a buzz.  Remember Goblintown?  They offered some cryptic tweets and weird sounds.  That’s it.  Otherside? Yuga Labs shared a slick video … that told you nothing about what to expect in their Otherside metaverse implementation.  Both releases saw very strong interest early on.  

Hell, the Otherside debut even took down the Ethereum network.  If people were that eager to get their Otherside land plots, without any hard details about that virtual world would entail, it’s safe to say that anticipation did its job.

Speaking of which, Yuga Labs recently ran an Otherside demo as a way of load-testing the system. The test didn’t reveal any information about gameplay, but it did confirm that Otherside could handle roughly 2,500 concurrent users in a 3D world of spatial audio.  

Your Block & Mortar editors are seasoned technology professionals who have released a variety of real-world applications, so we understand the importance of this kind of testing.  This is the other side of anticipation: making sure the Otherside gameplay actually lives up to expectations.

Instant gratification

Every decision in life is a bet.  Sometimes the stakes are low (“the cafe has run out of egg tarts so I have to pick some other snack”), and maybe the result is more of a long-term deal (“OK, twenty years in, this was not the best career choice”), but each time you’re staking a claim on a future outcome.

Credit is a particular kind of bet.  You don’t have all of the money on-hand to purchase some asset, so you convince someone to let you have the money now and you promise to pay them back later.  When you do that: 

• The future outcome is “you repaying the loan.”  You are therefore betting on yourself, going long on your prospects for revenue or income throughout the repayment period.

• You are also betting on the asset providing some value or payoff.  You get to use it (live in the house you’ve mortgaged) and/or you can later sell it as its price increases (say, you bought tons of shares of stock to increase your return on that hot tip).

• You want that payoff to hit before the loan is due to be repaid.  If your loan is for six months, and your hot stock tip takes nine months to come to fruition, you’re going to have a rough time.

That’s the framing we held in mind while learning about Teller, a service for lending people money to buy NFTs.  Specifically, Teller’s Ape, Now Pay Later pairs potential buyers with lenders, and it holds the NFT in escrow until it’s paid off.   (The name is a play on Buy Now, Pay Later – also known as BNPL – a popular twist on layaway that has attracted the interest of financial regulators.)

On the one hand, it may seem weird to take out a loan for “just an ape JPEG.” On the other hand, an asset is an asset is an asset.  Whether it’s a car, house, or even a company (“leveraged buyout,” anyone?), you can use credit to get the asset now and pay it off over time.  

What remains to be seen is whether you can access the financed NFT while it is still in escrow. In the same way that you’d want to live in a house while you’re still paying the mortgage, you’d probably want to have access to your utility-style NFTs – the kind that come with recurring benefits, such as membership passes – sooner rather than later.

Keep this in your back pocket, maybe

We like to think that Block & Mortar presents a balanced view of what web3 has to offer.  We’ve told you about interesting use cases and crypto successes, sure. We’ve also brought you the recurring segment called Things Go Wrong™. 

Our hope is that, by reading this newsletter, you’ve learned more about the web3 space and have become more comfortable talking about it with friends and colleagues.  The downside is that you’ve probably found yourself on the receiving end of crypto-snark.  Knocking web3 is a safe default these days, because it’s still early enough that no one knows just how far it will really go.  Rejections of e-commerce (“I can shop in the store”) and cloud (“I don’t trust someone else’s datacenter”) eventually dissipated, sure, but it took a while. 

Knowing that doesn’t help much while your brother-in-law is roasting your crypto investments in front of the rest of the family.  So the crew at Decrypt has released “Laminate This: What to Say to Crypto Haters” as your backup:

Next time an “expert” at a dinner party starts mansplaining why crypto is nothing but a scam for suckers, point them to these retorts. Print it out. Fold it up and put it in your wallet. Laminate it and use it as a placemat. Tuck them under windshield wipers at the bank.

To which we say: wait, people still go to dinner parties?  What’s that like?

The wrap-up

This was an issue of Block & Mortar.

Who’s behind Block & Mortar? I'm Q McCallum. I've spent the past two decades in the emerging-tech space. And I'm very interested in web3 use cases.

Credit where it's due. Big thanks to Shane Glynn for reviewing early drafts. Any mistakes that remain are mine.

Reading this online? Or as a forward? Why not sign up? Get Block & Mortar news in your inbox, whenever it's published.

Privacy statement: I don’t share/rent/sell your personal info. Seriously.