Published on

Phishing NFTs is Easy

Authors
  • avatar
    Name
    n0 Sec
    Twitter

Introduction

Non-fungible tokens, more commonly known as NFTs, are rare collectible assets sold online for cryptocurrency. On the news, you may have heard about the Bored Ape Yacht Club (BAYP), images of apes that are worth upwards of hundreds of thousands of dollars, which is one of the most famous NFT lines. NFTs are based on cryptocurrencies and share blockchains with them, however owning an NFT is far different than owning cryptocurrencies. NFTs are far more publicly looked at than individual’s cryptocurrency wallets as NFTs are meant to be collected, therefore fraudsters who steal NFTs are more subject to having their heist covered by the media. The media covering a heist can make the heist more high-profile and make the fraudster nervous that they will be investigated. While there is more risk, NFTs tend to be easier to steal due to how many holders use web-wallets, on top of the amount of novice investors using NFTs, making plenty of ‘low hanging fruit’ targets. One new disadvantage of NFTs is the ability of exchanges to blacklist certain NFTs from being sold in the case that they are known to be compromised. This means that while a fraudster may get away with a heist, the NFT may become blacklisted from marketplaces before the fraudster liquidates the NFT for cryptocurrency.

The Bored Ape Yatch Club

The Start of NFT Phishing

The early forms of NFT phishing were less oriented towards phishing NFTs, but rather convincing people to buy worthless NFTs. Fraudsters would begin by locating a lot of NFT communities and building a false media presence for a worthless NFT. The fraudsters try to make an NFT look more popular than it is, sometimes taking over the identity of an already prominent NFT. The fraudsters would make a site and sell worthless NFTs, either because the owner plans to exit scam or because they’re impersonating an NFT that they don’t own. This is where the market started, elementary phishing schemes with intent to get a buyer to purchase an NFT that holds no real value, whether because its magnitude of popularity looked high to investors when there was no real hype, or because it was impersonating a valuable project, selling inauthentic copies.

These methodologies would evolve into more complex schemes with time, on top of the previous methodologies becoming more advanced in their execution. Fraudsters would target large communities, administrators of the servers infected files to 'token log' their Discord account. To clarify, Discord uses cookies to maintain a user's session on Discord, so when a target’s token is ‘logged’, the fraudster can utilize the stolen token to log into the Discord account. Tokens are typically logged via convincing a person to send it or sending an infected file that the victim will need to execute. These administrators are authorized to send out announcements to big Discord servers and can be used as a pawn to spread the phishing site more using the reputability behind the compromised Discord user or server. Fraudsters target popular Discord server administrators and spread their inauthentic NFT website through compromised server administrators, making announcements in big NFT communities. This still happens, but most operations have evolved to become more sophisticated, with even professional advertising agencies coming to do these schemes, creating rug pull scams involving hundreds of celebrity faces. In some cases, fraudsters even compromise Discord bots with high levels of permission in popular servers to leverage the bot’s privileges to send out mass messages, using features like Discord’s “web-hooking”. This is what happened to Grape Network, as detailed in this article.

Leveraging Discords

Before covering the more complex NFT schemes, it is important to understand NFT phishing, the most ‘direct’ form of NFT stealing. NFT phishing is executed by mass targeting users typically, it is rare that individuals launch a campaign to phish an individual. The tactic calls for the phisher to locate big communities relating to cryptocurrencies and NFTs, where they can advertise their phishing scheme. The phishers will find lists of big communities of NFT traders where they will execute mass messages on the platform, frequently Discord, and try to get as many people to access a website as possible. This website will request the user authorize a connection to their Metamask, which is normal behavior, but then prompt an error requesting the target to enter their seed phrase. Another common way fraudsters trick targets to providing credentials to their wallet is via promoting fake NFT airdrops/giveaways that require the target to enter their seed to receive the airdrop. The end goal of most NFT phishing schemes is to obtain the user’s wallet seed and then drain the user’s wallet of their cryptocurrency and/or NFTs. This can be done as mentioned via phishing a user’s seed, but also through other miscellaneous means such as convincing the phishing victim to grant the website full access to their Metamask. A prime example of this was the Money Kingdom hack, where victims in a Discord were told that there was a minting event for a SOL-based NFT, Money Kingdom, and hackers sent phishing victims to a fake site where users would connect their Metamask wallet and be drained of all their Solana. The phishing link was sent by people leveraging Discord webhooks to send out announcements to the official Monkey Kingdom Discord, to a domain look-alike to the real Monkey Kingdom minting site. The phishing link offered users the ability to mint, which victims are typically ecstatic to do, however when they go to mint by connecting their Metamask, they grant the site permission to send their SOL balance, and the site then drains their entire balance instantly. It is estimated about 1.3 million USD was lost in this phishing attack. Cointelegraph covered this hack extensively along with how the Monkey Kingdom NFT responded to the incident.

Discord Mass Messaging

“Crypto Drainers”

In blackhat marketplaces, it is nearly impossible to browse without seeing sales threads for ‘fake minting’ and ‘crypto drainer’ sites. These sites offer the phishing target the ability to ‘mint’ an NFT, which can be an NFT with artificial attention or a duplicate site of a more popular NFT (to make minting the NFT seem like a good idea), ask the user to connect their cryptocurrency wallet, but keep showing an error when the target sends the cryptocurrency. This error is designed to look realistic and convince the end-user that they didn’t send the money, tempting the user to try to conduct the transaction again. This runs in a loop until the target has no money to send left, and in exchange the target receives nothing. An example of this type of site is demonstrated here. The site itself is not hard to make, there are services on the blackhat market to develop fake minting sites for less than 300 USD. To reiterate, fraudsters typically either duplicate popular NFT minting sites, impersonating them to add demand to the fake minting opportunity, or they advertise their own NFT, making it look like it has more demand than it does (building ‘artificial’ hype).

Crypto Drainer Site

Rug Pulls and Artificial Hype

Rug pulls are one of the most common forms of NFT schemes on top of being the most publicized. There have been very famous cryptocurrency rug pulls, such as the ‘SQUID’ token being rug pulled creating a 3 million USD profit for the creators. Similar rug pull schemes have been happening in the NFT market, such as the Frosties NFT. Frosties was an NFT from 2021 and early 2022 that resulted in several million dollars stolen and the US Department of Justice releasing several indictments on the founders of the NFT. Most rug pulls are made via promoting an NFT and building hype around it, to gain the attention of investors. Most of this hype however isn’t naturally occurring, real hype is typically built by potential investors talking amongst themselves regarding an upcoming project, however most artificial hype is developed via mass messaging, purchased article writing and publishing, amongst paid advertisement.

Frosties
Twitter Mass Messaging for Artificial Hype

Rug Pulls v Fake Minting Sites

Fake minting sites are sites that offer the victim the ability to purchase an NFT that normally has prebuilt hype around it, but don’t provide an NFT when the transaction is complete, it merely just takes cryptocurrency from the target’s wallet. Rug pulls provide an NFT to the customer and the project requires a lot more real work and require real smart contract deployments. Rug pulls take time to develop, but fake minting sites can pop up at any time and take no real hype to develop. Fake minting sites however do require initial setup, such as preparing mass messaging services, coordinating compromising administrators to popular communities to promote the fake minting site, and other tactics fraudsters use to promote their fake minting sites.

Conclusion

NFTs are a highly valuable target for fraudsters due to the massive amount of unexperienced cryptocurrency investors involved in the market. NFT schemes revolve around false advertising and reaching massive amounts of people using automating software, such as mass Instagram messaging and mass Discord messaging. Scammers build hype around rugpull projects by similar methods like mass messaging on Discord - there is plenty of overlap in methodologies used to execute NFT schemes.