As the adoption of NFTs grows, we are seeing the development of a variety of scams relating to NFT platforms and its smart contracts; including rug pulls, fake NFT minting sites, also known as NFT phishing scams, artificial NFT customer support, bidding scams, misleading offers, and counterfeit NFTs.
This article describes the bait-and-switch contract, a prevalent form of NFT scamming that involves exploiting NFT smart contracts. This phishing attack directs victims to sign a contract, often under the impression of a lawful transfer of ownership. This ultimately allows the hacker complete access to the victim's NFT and crypto wallet.
Creating fake copies of NFT marketplaces and websites is an everyday activity in the current NFT ecosystem. After developing counterfeit NFT platforms or wallets, these scammers circulate links of the NFT phishing sites on Twitter and Discord, which have lately impacted many NFT owners and collectors.
This series of articles, titled "Common NFT Scams," highlights the most prevalent scams affecting the NFT space. In this current article, we will look at the NFT phishing scams which may occur when malicious actors influence or deceive NFT collectors into revealing critical information, such as their NFT wallet credentials. We will also discuss how NFT phishing attacks work and the steps you can follow to avoid falling victim to such scams.
What is an NFT Phishing Attack?
Phishing is the oldest and most common scam in the crypto and NFT ecosystem. Historically, phishing has been around since the 1990s when scammers pretended to be AOL administrators and stole users’ internet login credentials to illegally use the internet for free.
Modern-day phishing attacks are most common in the NFT or crypto ecosystem, where scammers use manipulation tactics to access NFT collectors’ wallet accounts and steal their valuable NFT assets.
OpenSea Phishing Site (Source: Steven Tey)
Scammers design phishing attacks to trick people into giving up NFT private wallet information, install malware on their computers, or send them to a fake website. Phishers often use various techniques while maintaining a plausible façade to deceive their victims. They may impersonate official communications, utilize the logos of reputable NFT platforms, and obscure URLs to manipulate and exploit NFT collectors or owners.
According to the 2021 Verizon Data Breach Report, phishing attacks are responsible for 36% of data breaches. The research also reveals that most businesses suffered between $250,000 and $984,855 due to phishing emails, with the median loss estimated to be $30,000. This indicates that many people and businesses have lost a significant portion of their income to phishing scams.
How does phishing Work?
The common NFT phishing scam works as per the following steps:
Hacker Sets Up the NFT Wallet:
NFT scammer and attackers establish their wallets. They seed or begin the attack wallet with a transaction, often using a mixer like Tornado.cash. Typically, the attacker will make the first payment to their attack wallet. This is for various reasons, including testing the wallet or contract or initializing the wallet if the wallet is new. A TRON wallet, for instance, needs a TRX balance to operate. So if a user transfers USDT to the wallet without TRX, the USDT may not appear in the balance until the wallet receives some TRX.
NFT Hacker Establishes “Bait-and-Switch” Smart Contract:
The scammer then establishes the “Bait-and-Switch” smart contract, which involves functions such as "atomicMatch_" and "setApprovalForAll" that are easily exploitable for accessing and stealing the NFT assets of phishing attack victims.
NFT Hacker Deploys the Malicious Smart Contract:
After launching the smart contract, the NFT scammer tests and verifies the contract's working by signing a transaction from the attacker’s wallet. The scammer usually scams the NFT collectors by requesting the victim to authorize the private sale (transfer) of an NFT to the attacker's wallet with zero fees.
Scammer Phishes NFT Collector:
After verifying the malicious smart contract, scammers initiate a phishing attack on the target NFT collector(s). The scammer aims to access the target NFT wallet’s secret phrase or approve the malicious smart contract tricking the NFT collector. The scammer may use multiple techniques to perform phishing, such as sending emails, -ups on Discord, Telegram, and other forums, in-wallet advertisements through MetaMask, fake NFT platforms with wallet connections, and impersonation of support NFT marketplace or platform’s support team.
Scammer Phishes NFT Collector:
After verifying the malicious smart contract, scammers initiate a phishing attack on the target NFT collector(s). The scammer will seek to access the target NFT wallet’s secret phrase or approve the malicious smart contract tricking the NFT collector. The scammer may use multiple techniques to perform phishing, such as sending emails, -ups on Discord, Telegram, and other forums, in-wallet advertisements through MetaMask, fake NFT platforms with wallet connections, and impersonation of support NFT marketplace or platform’s support team.
Scammers Steal the NFT Assets:
If the scammer is successful in the NFT phishing attack, the NFT collectors lose their NFT and crypto assets to the hacker. Most phishing contracts let the attacker transfer not just the NFTs but also the victim's whole asset portfolio.
Scammers Flip Stolen NFT(s):
The phishing scammer resells the NFT(s) on an open NFT marketplace. Scammers quickly resell the stolen NFTs for two key reasons: to avoid blockchain traceability and liquidate the asset for laundering purposes. Therefore, most scammers convert stolen NFTs to cryptocurrencies, which the scammer may launder and utilize, unlike NFTs.
Scammers Launders the Illegal Cryptocurrency:
After flipping the NFTs on genuine marketplaces, the scammers transfer the illegal cryptocurrency to crypto-laundering wallets. These wallets charge some transaction fees but render the cryptocurrency clean.
Scammers Cash Out the Illegal Gains:
Following the above NFT phishing steps, the scammer finally cashes out, often involving a combination of mixers, high-risk exchanges, peer-to-peer platforms, transaction- and chain-hopping, and stablecoin conversion.
How to Protect yourself from NFT Phishing Scams:
If you do not want to lose a potentially valuable NFT, you must be very clear and vigilant of NFT phishing scams. Phishing scams always start with some interaction from the scammer's side, such as an email, MetaMask wallet pop-up, or a DM on Twitter/Discord. In either case, the scammer steals the victim’s NFTs by accessing the collector's wallet information or tricking them into signing the malicious smart contract.
Here are some steps for protecting yourself from NFT phishing scams:
- Simply signing a transaction can quickly provide scammers complete access to all your NFTs and cryptocurrencies. Therefore, never sign a smart contract that you do not entirely trust. Watch out for red flags such as unknown or unexpected smart contract calls.
- Never open an attachment, link, or button when a smart contract seems to "fail" or "run into issues." Similarly, never click on links in an email unless you can independently verify them or discover the same information via a similar online search.
- Use a separate wallet for your NFTs or create a "burner" wallet to evaluate interactions with potentially unsafe contracts. Check the background of an NFT before purchasing since you may potentially be acquiring stolen NFT assets.
- When purchasing, research the counterparty. If you examine their transactions and discover that they often buy NFTs "for free" and then sell them on the open market, it is a red flag for phishing attacks, so avoid such sellers.
- Turn off your Twitter and Discord DMs, and never share your NFT wallet secret phrase with anyone.
The Takeaway:
NFT phishing attempts are more prevalent on NFT communities like Twitter and Discord than on any other NFT scams. However, by educating and comprehending the fundamentals of phishing scams, NFT collectors may protect their NFT assets and avoid losses.
To learn about other common NFT scams, follow our “Common NFT Scams” article series.