The United States Federal Bureau of Investigation (FBI) has raised a red flag over the increasing threat of cybercriminals infiltrating social media accounts and masquerading as legitimate figures within the nonfungible token (NFT) and cryptocurrency realm.
The FBI’s alert also underscores concerns surrounding deceptive websites that lure victims into believing they are using bona fide platforms, only to stealthily pilfer their NFTs or cryptocurrency holdings.
As the number of victims succumbing to these duplicitous tactics continues to rise, the FBI has taken action to bring these emerging threats to the public’s attention.
In an official public service announcement on August 4, the FBI cautioned individuals about “criminal actors posing as legitimate NFT developers in financial fraud schemes targeting active users within the NFT community.”
The modus operandi involves criminals either gaining direct access to authentic NFT developer social media accounts or fabricating eerily similar accounts to tout new NFT releases.
These fraudulent posts often manipulate a sense of urgency, deploying phrases such as “limited supply” and designating promotions as “surprise” or previously unpublicized mint events.
The deceptive announcements commonly contain phishing links, which redirect unsuspecting victims to meticulously crafted spoof websites. These sites mimic the appearance of authentic extensions of specific NFT projects, but they harbor malicious intent.
The scam websites coax individuals to connect their wallets in order to either claim or purchase NFTs. However, these connections lead to drainer smart contracts that siphon away funds or assets.
While this scenario is common, it’s important to recognize that the landscape of such scams can be more intricate.
A case in point comes from a user’s experience shared in an August 5 Twitter thread. The user, StockEd, recounted mistakenly clicking on a bogus LooksRare NFT marketplace website.
Surprisingly, the victim hadn’t connected their hot wallet, yet they lost more than $300,000 worth of NFTs. This incident prompts consideration of how funds were drained without a direct wallet connection.
The comments on the thread triggered a debate on the mechanisms behind this form of attack. Some suggested that malware might have granted unauthorized access to the victim’s computer, while others conjectured that the deceptive website potentially embedded a concealed MetaMask wallet signature link, accidentally activated by the user.
Adding another layer of concern, the victim noted that the fake website had been promoted as a paid advertisement at the top of Google search results.
This distressing revelation highlights an ongoing issue: the prevalence of such fraudulent ads remains unsolved within Google’s ecosystem.