We haven't really seen (AFAICT) determined impersonation scammers on nostr yet. If it gets mainstream-popular, we definitely will. I'm kinda worried that NIP-05 (at least in its current form/implementation) will actually it easier to impersonate people.

Say I want to impersonate #[0]. Here's what I would do...

0. Set up a pubkey with his avatar, description etc.

1. Register a domain that looks similar to his NIP-05 domain - say, werunb1c.com or something like that, and set up verification there with the same username he uses.

2. Start cloning all his activity (trivial on nostr) on my fraudulent pubkey for, say, a week - so the timestamps are authentic

3. Start running "send me 1 btc, get 2 back" scams in replies (or something more nefarious).

Nobody on nostr right now would fall for something like this but mainstream CrYpTo morons definitely will. My fake account will be way more convincing than the average Elon impersonator on twitter - it'll have the shiny purple tick in current Nostr clients and only those looking *very* carefully at the NIP-05 domain would be able to tell it's not really him.

We definitely need more robust verification/anti-sybil schemes before this thing takes off for real.