Non-Fungible Token Scam
An Investigative Report – November 2022
Nisos researchers, in conjunction with Chainalysis, investigated a network of Twitter accounts associated with a non-fungible token (NFT) scam that attempted to pose as legitimate and sometimes popular NFT stores. Tweets from these Twitter accounts link to fraudulent NFT stores that attempt to access a potential victim’s wallet in order to steal and likely resell NFTs.
This scam targets individuals interested in minting NFTs that they believe are associated with legitimate NFT stores. Through these fraudulent sites, the scammers gain access to the victim’s NFT wallet after being tricked into granting an NFT transfer to the scammer when the victim believes they are accepting the minting of a new NFT. This then allows the scammer to remove an NFT and possibly Ethereum funds from wallet services.
Nisos researchers made the following findings:
- A network of thousands of Twitter accounts involved in producing tweets to advertise these fraudulent NFT stores, with thousands of additional accounts disseminating these tweets through quote tweeting.
- The producing tweets have followed roughly two main formats, with the first version of the tweets prevalent between 26 July and early October and the second format prevalent through 11 October. Other variations of the tweets also were shared.
- Thousands of additional Twitter accounts form multiple networks and are responsible for disseminating the original tweets through quote tweeting. These disseminating accounts generally all follow three Twitter accounts and have zero followers.
- The disseminating Twitter accounts each tagged roughly a dozen random accounts in each of their quote tweets, including both accounts for individuals with small numbers of followers who did not appear connected to NFTs, as well as major NFT-related accounts with thousands of followers.
- Of the three accounts followed by the disseminating Twitter account networks, most were located in or associated with Indonesia, suggesting that is where the scammers are located.
- The scam websites trick victims into granting access and approving transfers to the scammers through fraudulent prompts on the site. The victims believe they are granting permission to mint a new NFT when they are actually approving the transfer of an NFT.
- Multiple wallets are used to receive funds and NFTs through the scam sites, although the operation probably relies on a handful to act as the first layer in receiving funds from victims across the majority of its scam sites.
- Some of the most commonly used wallets possibly attempt to mask the movement of currency by first transferring funds outside those wallets – where funds are first received by victims probably in Ethereum – in currencies other than Ethereum.
- Over 500 domains associated with the NFT scam were registered to a single IP address, while the scam also implemented additional IP addresses to which roughly a dozen scam-related domains each were registered. The total number of IP addresses used in the scam is unknown.
Nisos conducted its research and analysis on these tweets with a cut off of 11:59 pm on 11 October, as new Twitter accounts and fraudulent NFT stores continue to appear each day. However, some analysis and examples on crypto wallets or processes used by the scammers have been pulled from subsequent dates to capture transactions and formats of interest.
To learn more, download the complete Nisos Research report.
Nisos is The Managed Intelligence Company™. Our services enable security, intelligence, and trust and safety teams to leverage a world-class intelligence capability tailored to their needs. We fuse robust data collection with a deep understanding of the adversarial mindset delivering smarter defense and more effective response against advanced cyber attacks, disinformation, and abuse of digital platforms.