Non-fungible tokens, more commonly known as NFTs, are rare collectible assets sold online for cryptocurrency. On the news, you may have heard about the Bored Ape Yacht Club (BAYP), images of apes that are worth upwards of hundreds of thousands of dollars, which is one of the most famous NFT lines. NFTs are based on cryptocurrencies and share blockchains with them, however owning an NFT is far different than owning cryptocurrencies. NFTs are far more publicly looked at than individual’s cryptocurrency wallets as NFTs are meant to be collected, therefore fraudsters who steal NFTs are more subject to having their heist covered by the media. The media covering a heist can make the heist more high-profile and make the fraudster nervous that they will be investigated. While there is more risk, NFTs tend to be easier to steal due to how many holders use web-wallets, on top of the amount of novice investors using NFTs, making plenty of ‘low hanging fruit’ targets. One new disadvantage of NFTs is the ability of exchanges to blacklist certain NFTs from being sold in the case that they are known to be compromised. This means that while a fraudster may get away with a heist, the NFT may become blacklisted from marketplaces before the fraudster liquidates the NFT for cryptocurrency.
The Start of NFT Phishing
The early forms of NFT phishing were less oriented towards phishing NFTs, but rather convincing people to buy worthless NFTs. Fraudsters would begin by locating a lot of NFT communities and building a false media presence for a worthless NFT. The fraudsters try to make an NFT look more popular than it is, sometimes taking over the identity of an already prominent NFT. The fraudsters would make a site and sell worthless NFTs, either because the owner plans to exit scam or because they’re impersonating an NFT that they don’t own. This is where the market started, elementary phishing schemes with intent to get a buyer to purchase an NFT that holds no real value, whether because its magnitude of popularity looked high to investors when there was no real hype, or because it was impersonating a valuable project, selling inauthentic copies.
Before covering the more complex NFT schemes, it is important to understand NFT phishing, the most ‘direct’ form of NFT stealing. NFT phishing is executed by mass targeting users typically, it is rare that individuals launch a campaign to phish an individual. The tactic calls for the phisher to locate big communities relating to cryptocurrencies and NFTs, where they can advertise their phishing scheme. The phishers will find lists of big communities of NFT traders where they will execute mass messages on the platform, frequently Discord, and try to get as many people to access a website as possible. This website will request the user authorize a connection to their Metamask, which is normal behavior, but then prompt an error requesting the target to enter their seed phrase. Another common way fraudsters trick targets to providing credentials to their wallet is via promoting fake NFT airdrops/giveaways that require the target to enter their seed to receive the airdrop. The end goal of most NFT phishing schemes is to obtain the user’s wallet seed and then drain the user’s wallet of their cryptocurrency and/or NFTs. This can be done as mentioned via phishing a user’s seed, but also through other miscellaneous means such as convincing the phishing victim to grant the website full access to their Metamask. A prime example of this was the Money Kingdom hack, where victims in a Discord were told that there was a minting event for a SOL-based NFT, Money Kingdom, and hackers sent phishing victims to a fake site where users would connect their Metamask wallet and be drained of all their Solana. The phishing link was sent by people leveraging Discord webhooks to send out announcements to the official Monkey Kingdom Discord, to a domain look-alike to the real Monkey Kingdom minting site. The phishing link offered users the ability to mint, which victims are typically ecstatic to do, however when they go to mint by connecting their Metamask, they grant the site permission to send their SOL balance, and the site then drains their entire balance instantly. It is estimated about 1.3 million USD was lost in this phishing attack. Cointelegraph covered this hack extensively along with how the Monkey Kingdom NFT responded to the incident.
In blackhat marketplaces, it is nearly impossible to browse without seeing sales threads for ‘fake minting’ and ‘crypto drainer’ sites. These sites offer the phishing target the ability to ‘mint’ an NFT, which can be an NFT with artificial attention or a duplicate site of a more popular NFT (to make minting the NFT seem like a good idea), ask the user to connect their cryptocurrency wallet, but keep showing an error when the target sends the cryptocurrency. This error is designed to look realistic and convince the end-user that they didn’t send the money, tempting the user to try to conduct the transaction again. This runs in a loop until the target has no money to send left, and in exchange the target receives nothing. An example of this type of site is demonstrated here. The site itself is not hard to make, there are services on the blackhat market to develop fake minting sites for less than 300 USD. To reiterate, fraudsters typically either duplicate popular NFT minting sites, impersonating them to add demand to the fake minting opportunity, or they advertise their own NFT, making it look like it has more demand than it does (building ‘artificial’ hype).
Rug Pulls and Artificial Hype
Rug pulls are one of the most common forms of NFT schemes on top of being the most publicized. There have been very famous cryptocurrency rug pulls, such as the ‘SQUID’ token being rug pulled creating a 3 million USD profit for the creators. Similar rug pull schemes have been happening in the NFT market, such as the Frosties NFT. Frosties was an NFT from 2021 and early 2022 that resulted in several million dollars stolen and the US Department of Justice releasing several indictments on the founders of the NFT. Most rug pulls are made via promoting an NFT and building hype around it, to gain the attention of investors. Most of this hype however isn’t naturally occurring, real hype is typically built by potential investors talking amongst themselves regarding an upcoming project, however most artificial hype is developed via mass messaging, purchased article writing and publishing, amongst paid advertisement.
Rug Pulls v Fake Minting Sites
Fake minting sites are sites that offer the victim the ability to purchase an NFT that normally has prebuilt hype around it, but don’t provide an NFT when the transaction is complete, it merely just takes cryptocurrency from the target’s wallet. Rug pulls provide an NFT to the customer and the project requires a lot more real work and require real smart contract deployments. Rug pulls take time to develop, but fake minting sites can pop up at any time and take no real hype to develop. Fake minting sites however do require initial setup, such as preparing mass messaging services, coordinating compromising administrators to popular communities to promote the fake minting site, and other tactics fraudsters use to promote their fake minting sites.
NFTs are a highly valuable target for fraudsters due to the massive amount of unexperienced cryptocurrency investors involved in the market. NFT schemes revolve around false advertising and reaching massive amounts of people using automating software, such as mass Instagram messaging and mass Discord messaging. Scammers build hype around rugpull projects by similar methods like mass messaging on Discord - there is plenty of overlap in methodologies used to execute NFT schemes.