The FBI warned that the account hijackers work to “create a sense of urgency” with their posts, and urged people to vet any website or potential opportunity before clicking on it.
The Federal Bureau of Investigation has warned of criminal actors that are hijacking social media accounts and posing as legitimate people in the nonfungible token and crypto space.
It also raised concerns over spoof websites that dupe victims into thinking they are using legitimate platforms in an effort to steal their NFTs/crypto.
The warning comes as the number of victims having their funds drained from these two types of scamming methods continues to grow.
In an Aug. 4 public service announcement, The FBI urged people to be aware of “criminal actors posing as legitimate NFT developers in financial fraud schemes targeting active users within the NFT community.”
“Criminals either gain direct access to NFT developer social media accounts or create almost identical accounts to promote new NFT releases. Fraudulent posts often aim to create a sense of urgency, using phrases like ‘limited supply,’ and refer to the promotion as a ‘surprise’ or previously unannounced mint.”
“Links provided in these announcements are phishing links directing victims to a spoofed website that appears to be a legitimate extension of a particular NFT project,” the FBI added.
Generally, the scam websites prompt people to connect their wallets to claim or purchase NFTs, but are instead connected to a drainer smart contract, resulting in a loss of person’s funds or assets.
However, it is worth noting that it can sometimes be more complicated than that. There are some other ways that people can have their funds drained even when not directly choosing to connecting their wallet to a dubious website.
In an April. 5 X (Twitter) thread, user @robbyhammz stated that they mistakenly clicked on a spoof Looks Rare NFT marketplace website and didn’t connect their hot wallet, but still had more than $300,000 worth of NFTs stolen.
Alarmingly the fake website was promoted at the top of Google’s search results as a paid ad, which is something that has been a long-running issue yet to be solved by Google.
Was just talking with @bax1337 earlier today about how Google Ads phishing scams are out of control. Surprised no one has organized a class action against them. Have easily seen 8 figures stolen from them recently.
— ZachXBT (@zachxbt) August 5, 2023
There was a lot of debate in the comments as to how the victim could have their NFTs drained without connecting their wallet.
Some argued that malware enabling access or control to the victim’s PC was at play, while others suggested the scam website may have had a hidden MetaMask wallet signature link somewhere that was accidentally clicked.
On the same day, Web3 anti-scam platform Scam Sniffer tweeted that someone else had also lost $446,000 worth of Bitcoin (BTC), Ether (ETH) and Pepe ($PEPE) due to a phishing link.
Scam Sniffer indicated that the Pink drainer address was behind the phishing hack, while ZachXBT highlighted that it may have happened via two fake airdrop links promoted by @AvalancheApp and @QwQiao — two accounts that were hijacked over the previous 24 hours.
These two happened in past 24 hrs pic.twitter.com/KV5Kaxhihf
— ZachXBT (@zachxbt) August 5, 2023
In the FBI’s warning, it outlined a handful of tips for people to protect themselves from these types of scams.
The FBI emphasized that people should research and “vet any opportunity” such as surprise NFT drops or giveaways before clicking on links. It also urged people to double-check for any discrepancies in website URLs or account names, to avoid falling victim to impersonators.