1. Home
  2. NFT scams

NFT scams

FBI warns of phishing scams and social media account hijackers

The FBI warned that the account hijackers work to “create a sense of urgency” with their posts, and urged people to vet any website or potential opportunity before clicking on it.

The Federal Bureau of Investigation has warned of criminal actors that are hijacking social media accounts and posing as legitimate people in the nonfungible token and crypto space.

It also raised concerns over spoof websites that dupe victims into thinking they are using legitimate platforms in an effort to steal their NFTs/crypto.

The warning comes as the number of victims having their funds drained from these two types of scamming methods continues to grow.

Recent phishing link tweeted from Uniswap founder Hayden Adams' Twitter account by hackers. Source: Twitter

In an Aug. 4 public service announcement, The FBI urged people to be aware of “criminal actors posing as legitimate NFT developers in financial fraud schemes targeting active users within the NFT community.”

“Criminals either gain direct access to NFT developer social media accounts or create almost identical accounts to promote new NFT releases. Fraudulent posts often aim to create a sense of urgency, using phrases like ‘limited supply,’ and refer to the promotion as a ‘surprise’ or previously unannounced mint.”

“Links provided in these announcements are phishing links directing victims to a spoofed website that appears to be a legitimate extension of a particular NFT project,” the FBI added.

Generally, the scam websites prompt people to connect their wallets to claim or purchase NFTs, but are instead connected to a drainer smart contract, resulting in a loss of person's funds or assets.

However, it is worth noting that it can sometimes be more complicated than that. There are some other ways that people can have their funds drained even when not directly choosing to connecting their wallet to a dubious website. 

In an April. 5 X (Twitter) thread, user @robbyhammz stated that they mistakenly clicked on a spoof Looks Rare NFT marketplace website and didn’t connect their hot wallet, but still had more than $300,000 worth of NFTs stolen.

Alarmingly the fake website was promoted at the top of Google’s search results as a paid ad, which is something that has been a long-running issue yet to be solved by Google.

There was a lot of debate in the comments as to how the victim could have their NFTs drained without connecting their wallet.

Some argued that malware enabling access or control to the victim's PC was at play, while others suggested the scam website may have had a hidden MetaMask wallet signature link somewhere that was accidentally clicked.

Related: Zero transfer scammer steals $20M USDT, gets blacklisted by Tether

On the same day, Web3 anti-scam platform Scam Sniffer tweeted that someone else had also lost $446,000 worth of Bitcoin (BTC), Ether (ETH) and Pepe ($PEPE) due to a phishing link.

Scam Sniffer indicated that the Pink drainer address was behind the phishing hack, while ZachXBT highlighted that it may have happened via two fake airdrop links promoted by @AvalancheApp and @QwQiao — two accounts that were hijacked over the previous 24 hours.

In the FBI’s warning, it outlined a handful of tips for people to protect themselves from these types of scams.

The FBI emphasized that people should research and “vet any opportunity” such as surprise NFT drops or giveaways before clicking on links. It also urged people to double-check for any discrepancies in website URLs or account names, to avoid falling victim to impersonators.

Magazine: Deposit risk: What do crypto exchanges really do with your money?

Macro Guru Raoul Pal Predicts Crypto Market Will Rally ‘Pretty Strongly’ Into Year-End – Here’s His Outlook

Phishing scammer Monkey Drainer has pilfered as much as $1M in ETH

Four addresses have been flagged relating to Monkey Drainer, including the monkey-drainer.eth address, with Chainabuse showing a long list of reported victims relating to these accounts.

An alleged phishing scammer going by the pseudonym Monkey Drainer has reportedly swiped around $1 million worth of Ether (ETH) via dubious copycat nonfungible token (NFT) minting websites this week. 

Well-known blockchain sleuth ZachXBT was one of the first to track and highlight the activity, outlining on Oct. 26 that:

“Over the past 24 hrs ~700 ETH ($1m) has been stolen by the phishing scammer known as Monkey Drainer. They recently surpassed 7300 transactions from their drainer wallet after being around for only a few months.”

“The two largest victims over the past day include 0x02a & 0x626 who collectively lost $370k from signing transactions on malicious phishing sites,” ZachXBT added.

The blockchain scam investigator also went on to assert that longer term, Monkey Drainer has allegedly stolen more than $3.5 million from their schemes, with “that number rapidly increasing by each day.”

Phishing scams often involve criminals sharing links to websites impersonating real projects or companies designed to dupe victims into handing over private credentials by offering an exciting buying opportunity or free promotion.

Four addresses, in particular, have been flagged relating to Monkey Drainer, including the monkey-drainer.eth address.

Upon searching these addresses on blockchain community-driven Web3 security network Chainabuse, it currently shows a long list of reports relating to airdrop scams, NFT scams and phishing attacks.

The reported incidents include airdrop scams via the Astrobot Society discord channel, a Fake Wolf Game and Bored Ape Yacht Club marketplace and a fake Aptos Airdrop, to name a few.

Web3 security community Wallet Guard also responded to ZachXBT’s Twitter thread and stated that it had “spotted several other mint sites recently created” that had Monkey Drainer on the backend, including a fake Garbage Friends whitelist link that was a phishing website.

Related: FTX to give a ‘one-time’ $6M compensation to phishing victims

ZachXBT has become a respected independent blockchain investigator over the past couple of years, bringing to light a lot of nefarious behavior in the space.

Earlier this month, the deputy chief of France’s national cyber unit, Christophe Durand, even cited ZachXBT’s work for helping officials track phishing scams of five people suspected of stealing $2.5 million worth of NFTs.

Macro Guru Raoul Pal Predicts Crypto Market Will Rally ‘Pretty Strongly’ Into Year-End – Here’s His Outlook

Researchers find security flaw in Rarible: Users could have lost all their NFTs

“A successful attack would have come from a malicious NFT within Rarible's marketplace itself, where users are less suspicious and familiar with submitting transactions,” noted Check Point Research.

The research arm of cyber security software firm Check Point said it identified a vulnerability in the Rarible NFT marketplace that could have seen many of its roughly two million active monthly users lose their NFTs in a single transaction.

Check Point is a multinational IT security firm that was founded in Ramat Gan, Israel in 1993 and also claimed to have spotted issues relating to malicious airdrops on OpenSea back in October 2021.

According to documents shared with Cointelegraph, Check Point Research (CPR) recently discovered that malicious actors could send users a dubious link to an NFT that executes JavaScript code after clicking that “attempts to send a setApprovalForAll request to the victim.”

If the link is clicked, the user grants full access to their wallets on Rarible. CPR stated that it immediately notified Rarible on April 5, with the platform promptly acknowledging and fixing the security flaw:

“If exploited, the vulnerability would have enabled a threat actor to steal a user's NFTs and cryptocurrency wallets in a single transaction. A successful attack would have come from a malicious NFT within Rarible's marketplace itself, where users are less suspicious and familiar with submitting transactions.”

NFT Theft

Speaking with Cointelegraph, Oded Vanunu, Head of Products Vulnerabilities Research at Check Point Software said his team became interested in this type of scam after Taiwanese singer Jay Chou fell victim to a similar attack. Chou’s BoredApe #3738 NFT was swiped via a nefarious transaction at the start of this month.

“Once we saw that this NFT was stolen, it gave us the incentive to investigate further.” Such a vulnerability could also be possible on many other platforms, Vanunu said.

“Rarible acknowledged the security flaw quickly and fixed it by removing the SVG file upload option. This terminated the malicious NFT attack option,” Vanunu confirmed.

Related: Trezor investigates potential data breach as users cite phishing attacks

Vanunu refused to estimate the potential value lost that the security flaw could have resulted in, as it could have been “triggered on any user on the platform.” Notably, a similar attack on just a single wallet belonging to DeFiance Capital founder Arthur0x last month, resulted in the loss of roughly 600 Ether ($1.86 million).

CPR urged users to be diligent any time they approve any requests on NFT platforms and verify all of them via Etherscan’s request tracker in times of uncertainty.

Cointelegraph has reached out to Rarible for comment on the matter, and will update the story if the company responds.

Macro Guru Raoul Pal Predicts Crypto Market Will Rally ‘Pretty Strongly’ Into Year-End – Here’s His Outlook