Phishing scams
Phishing Scammers Stole $47 Million From 57,000 Victims in February Alone — Report
Nearly $47 million was stolen from approximately 57,000 crypto users by criminals who use phishing scams to lure victims. The Scam Sniffer data highlights that most of the thefts occurred on the Ethereum chain, with ERC-20 tokens being the most targeted. Unlike in January, the number of victims who lost digital funds exceeding $1 million […]FBI warns of phishing scams and social media account hijackers
The FBI warned that the account hijackers work to “create a sense of urgency” with their posts, and urged people to vet any website or potential opportunity before clicking on it.
The Federal Bureau of Investigation has warned of criminal actors that are hijacking social media accounts and posing as legitimate people in the nonfungible token and crypto space.
It also raised concerns over spoof websites that dupe victims into thinking they are using legitimate platforms in an effort to steal their NFTs/crypto.
The warning comes as the number of victims having their funds drained from these two types of scamming methods continues to grow.
In an Aug. 4 public service announcement, The FBI urged people to be aware of “criminal actors posing as legitimate NFT developers in financial fraud schemes targeting active users within the NFT community.”
“Criminals either gain direct access to NFT developer social media accounts or create almost identical accounts to promote new NFT releases. Fraudulent posts often aim to create a sense of urgency, using phrases like ‘limited supply,’ and refer to the promotion as a ‘surprise’ or previously unannounced mint.”
“Links provided in these announcements are phishing links directing victims to a spoofed website that appears to be a legitimate extension of a particular NFT project,” the FBI added.
Generally, the scam websites prompt people to connect their wallets to claim or purchase NFTs, but are instead connected to a drainer smart contract, resulting in a loss of person's funds or assets.
However, it is worth noting that it can sometimes be more complicated than that. There are some other ways that people can have their funds drained even when not directly choosing to connecting their wallet to a dubious website.
In an April. 5 X (Twitter) thread, user @robbyhammz stated that they mistakenly clicked on a spoof Looks Rare NFT marketplace website and didn’t connect their hot wallet, but still had more than $300,000 worth of NFTs stolen.
Alarmingly the fake website was promoted at the top of Google’s search results as a paid ad, which is something that has been a long-running issue yet to be solved by Google.
Was just talking with @bax1337 earlier today about how Google Ads phishing scams are out of control. Surprised no one has organized a class action against them. Have easily seen 8 figures stolen from them recently.
— ZachXBT (@zachxbt) August 5, 2023
There was a lot of debate in the comments as to how the victim could have their NFTs drained without connecting their wallet.
Some argued that malware enabling access or control to the victim's PC was at play, while others suggested the scam website may have had a hidden MetaMask wallet signature link somewhere that was accidentally clicked.
Related: Zero transfer scammer steals $20M USDT, gets blacklisted by Tether
On the same day, Web3 anti-scam platform Scam Sniffer tweeted that someone else had also lost $446,000 worth of Bitcoin (BTC), Ether (ETH) and Pepe ($PEPE) due to a phishing link.
Scam Sniffer indicated that the Pink drainer address was behind the phishing hack, while ZachXBT highlighted that it may have happened via two fake airdrop links promoted by @AvalancheApp and @QwQiao — two accounts that were hijacked over the previous 24 hours.
These two happened in past 24 hrs pic.twitter.com/KV5Kaxhihf
— ZachXBT (@zachxbt) August 5, 2023
In the FBI’s warning, it outlined a handful of tips for people to protect themselves from these types of scams.
The FBI emphasized that people should research and “vet any opportunity” such as surprise NFT drops or giveaways before clicking on links. It also urged people to double-check for any discrepancies in website URLs or account names, to avoid falling victim to impersonators.
Magazine: Deposit risk: What do crypto exchanges really do with your money?
FBI seizes $100K in NFTs from scammer following ZachXBT investigation
The seized property included a Bored Ape Yacht Club and Doodles NFT, 85.6 Ether and a flashy Audemars Piguet watch which ultimately helped ZachXBT identify the alleged scammer.
The Federal Bureau of Investigation (FBI) has seized two non-fungible tokens (NFTs) worth more than $100,000 and 86.5 Ether (ETH) from a reported phishing scammer.
The alleged scammer in question, Chase Senecal — known as Horror (HZ) online — was initially exposed via a lengthy investigation by independent blockchain sleuth ZachXBT posted back in September.
In the FBI’s official notification posted on Feb. 3, it outlined that Seneca’s property — which also included an Audemars Piguet (AP) Royal Oak Watch worth $41,000 — was “seized for federal forfeiture for violation of federal law.”
The FBI’s notification did not detail much other information on the ordeal apart from noting that all of the property was seized on Oct. 24. The specific NFTs include Bored Ape Yacht Club#9658, and Doodle #3114 and were valued at $95,495 and $9,361 at the time of seizure.
The 86.5 ETH was valued at $116,433 at the time of seizure, but is now worth $144,000 at the time of writing.
It is unclear what the full scope of legal proceedings that have taken place against Senecal are at this stage. However, according to the FBI’s law enforcement bulletin, federal forfeiture is a law enforcement tool that enables the government to “remove—without compensation for the individual—ownership of property involved in a crime.”
“It may occur in a civil procedure, like a lawsuit against the item, or after the conviction of an individual in a criminal trial,” the FBI states.
While the FBI has not come out with an official tip of the hat to ZachXBT, the on-chain sleuth noted via Twitter on Feb. 3 that the property seizure did “come as a result” of his investigation.
2/ HZ was responsible for using a Twitter panel to take over accounts like @Zeneca @nounsdao @ezu_xyz @deekaymotion @JRNYclub as well as Discord server attacks @AnataNFT @Lacoste
— ZachXBT (@zachxbt) February 3, 2023
The thread which started it all I’ve attached below. https://t.co/6dsfZ5jnGl pic.twitter.com/8EYl1yuIik
“I look forward to hopefully seeing more phishing scammers suffer a similar fate in the future for harming so many people in this space,” ZachXBT wrote.
With the seizure of a Bored Ape NFT, people in the community have joked that the FBI will change its profile picture to Ape #9658.
Notably, the flashy AP watch was one of the key identifiers that helped ZachXBT unmask Senecal’s identity and on-chain activity during the investigation.
In a medium post from Sept. 2, ZachXBT explained that after seeing Horroz (HZ) brag about the new watch on social media, he asked “around a few mutual friends who sell watches” and eventually managed to get in contact with the person who sold that specific AP watch to Senecal.
Unfortunately for Senecal, the payment was said to have been made on the blockchain via the use of USD Coin (USDC).
“The address HZ used to pay the watch seller $47.5k was DIRECTLY funded by multiple addresses used to scam people with hacked Twitter accounts such as @deekaymotion, @Zeneca_33, @ezu_xyz, [and] @JRNYclub,” ZachXBT wrote.
This is not the first time ZachXBT’s research has played a key role in helping government authorities. In October, France’s national cyber unit cited ZachXBT’s work in helping it catch and charge a group of alleged fraudsters on suspicion of stealing $2.5 million worth of NFTs via phishing scams.
MetaMask warns Apple users over iCloud phishing attacks
The firm warned that If an Apple user has enabled automatic iCloud backups of their MetaMask wallet data, their seed phrase is being stored online.
ConsenSys-owned crypto wallet provider MetaMask has sent out a warning to the community regarding Apple iCloud phishing attacks.
The security issue for iPhone, Mac, and iPad users is related to default device settings which see a user’s seed phrase or “password-encrypted MetaMask vault” stored on the iCloud if the user has enabled automatic backups for their app data.
In a Twitter thread posted on April 18, MetaMask noted that users run the risk of losing their funds if their Apple password “isn’t strong enough” and an attacker is able to phish their account credentials.
To fix the issue, users can disable automatic iCloud backups for MetaMask as detailed:
If you have enabled iCloud backup for app data, this will include your password-encrypted MetaMask vault. If your password isn’t strong enough, and someone phishes your iCloud credentials, this can mean stolen funds. (Read on ) 1/3
— MetaMask (@MetaMask) April 17, 2022
The warning from MetaMask came in response to reports from an NFT collector who goes by “revive_dom” on Twitter, who stated on April 15 that their entire wallet containing $650,000 worth of digital assets and NFTs was wiped via this specific security issue.
In a separate thread earlier today, DAPE NFT project founder “Serpent” – who also helped gain the attention of MetaMask via posting sharing the story with their 277,000 followers — gave a rundown of what happened to the victim.
They noted that the victim received multiple text messages asking to reset his Apple ID password along with a supposed call from Apple which was ultimately a spoofed caller ID.
As they were reportedly unsuspecting of the caller, “revive_dom” handed over a six-digit verification code to prove that they were the owner of the Apple account. The scammers subsequently hung up and accessed his MetaMask account via data stored on iCloud.
Key takeaways
— Serpent (@Serpent) April 17, 2022
- ALWAYS use a cold wallet to store your valuables
- Never give out verification codes to ANYONE
- Protect your information, don't give out your phone number or your personal email
- Caller information is easy to spoof. Companies like Apple will never call you
Related: MetaMask expands institutional offering by integrating new crypto custodians
After MetaMask posted the warning today, “revive_dom” expressed his frustrations with the company, noting that:
“I’m not saying they shouldn’t do it but they should tell us. Don’t tell us to never store our seed phrase digitally and then do it behind our backs. If 90% of the people knew this I would bet none of them would have the app or iCloud on.”
While most of the community response was supportive, others were quick to emphasize the importance of using cold storage and doing a lot of due diligence when storing assets in a hot wallet.