Where there is massive financial opportunity, there are malicious actors, and recently scams have plagued the NFT industry.
Unfortunately, the sophistication and effort of the recent scams has been sufficient to take down both industry veterans and new participants.
In this piece, we'll explore some of the recent NFT scams and share what we know about the attack vectors and vulnerabilities.
1. New: ApeCoin Scams
On March 17, 2022, Yuga Labs, the founders of Bored Ape Yacht Club, opened the claim for ecosystem token, ApeCoin ($APE).
This claim though opened a new attack vector and opportunity for NFT scammers.
Here's how it works.
First, bad actors purchase verified Twitter accounts that have been compromised or had previously leaked credentials.
Next, they tweet out phishing links to a fake ApeCoin claim.
Because the account is verified, unsuspecting users gain a sense of leigitimacy, and those who act in haste rush to connect their wallet to a fake site.
After connecting, users sign a message and approve a call function which allows the scammer to gain access to their tokens, draining wallets that contain NFTs and more.
2. Reused: Ape Animation Scam
The scammer provides a link to a website that promises to create an animated version of a Bored Ape Yacht Club or Mutant Ape Yacht Club NFT.
Once again, upon connecting and finalizing a token approval transaction, the scammer gains access to the respective NFT and perhaps more from the participant's wallet.
In this instance the scam was purported by another verified Twitter account that was previously compromised.
3. New: Google Doc Scam
Last week, Twitter user @Arthur_0x had his wallet drained of likely millions of dollars in assets.
Arthur is the founder of DeFiance Capital, a crypto venture fund focusing on DeFi and Blockchain gaming. This is important because it indicates that even those with an immense amount of crypto and NFT experience can fall victim to these scams.
In this example, Arthur first received what appeared to be a typical email with a Google Doc attachment entitled “A Huge Risk of Stablecoin (Protected).docx." When you receive an email that appears to be from a trusted source or a relevant party, this is known as spear-phishing.
In this case of a spear-phishing, Arthur isn't alarmed when he receives an email with an investment thesis or research paper regarding stablecoins, as he is a venture capitalist in the crypto space.
Unfortunately though, it is likely the hacker was able to get confidential information out of Arthur as a result of him engaging with this malicious document.
While the details are sparse, Arthur also alleges that this attack was done by the Lazarus Group, a cybercrime unit that is run by individuals for the North Korean state.
Found out the likely root cause for the exploit, it's a targeted social engineering attack. Received a spear-phishing email that really seems to be sent by one of our portco with content that seems like general industry-relevant content.— Arthur 🌔⛩️🦔👻 (@Arthur_0x) March 22, 2022
They are likely targeting all crypto peep pic.twitter.com/SegYBcoLX2
4. Reused: Airdrop Scam
Another scam that has returned involves an airdropped NFT that is designed to look like it came from a legitimate collection.
Here's how it works.
From these NFT collections, the user is then drawn to click a link to a website feigning to be from the real collection. From here, any interaction or token approval from the participant to the bad actor puts all the users funds at risk.
Fortunately, most fake collections are now automatically sent to the "Hidden" folder within a user's OpenSea profile. However, if needed, a user can send an NFT to their hidden folder by selecting "more options - hide" inside their OpenSea profile.
WALLETS WITH AZUKI WERE SENT THESE NFTS THIS MORNING. DO NOT TOUCH! DO NOT INTERACT! THIS IS NOT AFFILIATED WITH AZUKI AT ALL! MOST LIKELY A SCAM MADE TO DRAIN WALLET IF YOU INTERACT WITH IT. @AzukiZen #hatescammers pic.twitter.com/CaGH0VKTiB— Makunishere (@makunishere) March 21, 2022
5. Reused: Discord Hack NFT Scams
A Discord hack is the most common scam in the NFT industry.
In most cases, like the Capsule House hack, the scammer disables the team's ability to respond to the hack and creates a fake mint site for a "new" or "stealth mint."
Instead of minting though, users are generally just sending ETH to the hacker's address, with no NFT return.
Thank you for your patience as continue to review yesterday's event. In short, this particular hack was novel due to the usage of a malicious bot + attempt to cover up tracks + attempt to leave permissioned accounts inside the Discord.— CAPSULE HOUSE ✨💊✨ (@capsule_house) March 22, 2022
Here is what we know so far:
At Lucky Trader, we want all of our users to enjoy success in the NFT space. To learn more about how to protect yourself, check out our post on how to stay safe from NFT scams