According to recent research, published by Tenable’s Staff Research Engineer, Satnam Narang, scammers have once again dug deep into their bag of tricks to capitalise on the fervour in non-fungible tokens (NFT) and cryptocurrencies.
Many are hijacking verified and unverified accounts on Twitter to impersonate popular NFT projects including Bored Ape Yacht Club (BAYC), Azukis, MoonBirds and OkayBears, to steal users’ digital assets by driving them to phishing sites.
The success of some of these blue chip NFT projects has paved the way for broader adoption by promoting upcoming integrations with their own metaverses, giving scammers ample opportunity to capitalise on new or rumoured announcements in relation to these projects. These scams take place in a few different ways, according to the research.
Scammers leverage Twitter mentions to capture attention
Cryptocurrency scammers are tagging users in replies across hundreds of tweets in a bid to drive them to phishing websites. These phishing sites are indistinguishable from legitimate NFT project sites making it difficult for the average cryptocurrency enthusiast to tell them apart. Instead of relying on traditional usernames and passwords, users are convinced to connect their cryptocurrency wallets. By doing so, scammers are able to then transfer out the digital currencies like Ethereum ($ETH) or Solana ($SOL), as well as any NFTs being held in these wallets.
Airdrops and free NFTs drive cryptocurrency scams
The airdrop is a promotional activity performed to help bootstrap a digital currency project. The Bored Ape Yacht Club (BAYC), announced earlier this year an Airdrop of ApeCoin to holders of its various NFT projects such as BAYC, Mutant Ape Yacht Club and Bored Ape Kennel Club. Scammers saw this announcement as a ripe opportunity to target the interest in this upcoming airdrop and began creating campaigns by hijacking verified Twitter accounts to drive users to phishing sites.
Scammers warn of scammers to add legitimacy to tweets
Scammers have also pivoted to appear like the good samaritans by using the threat of potential scammers as justification for why they “clean” or “close” comments or replies to their tweets. Once they’ve seeded a few of these fake tweets, they leverage a built-in Twitter feature for conversations to restrict who can respond to their tweets, which prevents users from warning others of the potential fraud that lies ahead.
“Stories of “cryptocurrency millionaires” are attractive and increase the desire for users to invest in cryptocurrency and NFTs. Unfortunately, scammers understand this desire all too well and will take advantage of those who are hoping to make a windfall. The Australian Competition and Consumer Commission received over 10,000 reports about cryptocurrency scams in 2021, with losses of about $129 million for the year,” said Satnam Narang, staff research engineer at Tenable.
“Operating from a place of scepticism is likely going to provide some cover for users when it comes to such scams. If you’re proactively tagged in a tweet, you should be highly suspicious of the motivations behind it, even if it comes from a verified Twitter account. Seek out the original project’s website and cross-reference links that you see being shared on Twitter with the ones on their official website. Scammers will also rely on urgency to try to add pressure on users in this space. If an NFT mint is happening, they’ll say that there are a limited number of spots left. This urgency makes it easier to take advantage of users not wanting to miss out on the opportunity. Ultimately, if something sounds too good to be true, it probably is.”
Note: Twitter has been notified about these scams along with a list of recommendations to curb the issues.