The United States Federal Bureau of Investigation (FBI) has warned of criminal actors hijacking social media accounts and posing as legitimate people in the nonfungible token (NFT) and crypto space.
It also raised concerns over spoof websites that dupe victims into thinking they are using legitimate platforms to steal their NFTs or crypto.
The warning comes as the number of victims having their funds drained from these two types of scamming methods continues to grow.
In an Aug. 4 public service announcement, The FBI urged people to be aware of “criminal actors posing as legitimate NFT developers in financial fraud schemes targeting active users within the NFT community.”
“Criminals either gain direct access to NFT developer social media accounts or create almost identical accounts to promote new NFT releases. Fraudulent posts often aim to create a sense of urgency, using phrases like ‘limited supply,’ and refer to the promotion as a ‘surprise’ or previously unannounced mint.”
“Links provided in these announcements are phishing links directing victims to a spoofed website that appears to be a legitimate extension of a particular NFT project,” the FBI added.
Generally, the scam websites prompt people to connect their wallets to claim or purchase NFTs but are instead connected to a drainer smart contract, resulting in a loss of a person’s funds or assets.
However, it can sometimes be more complicated than that. There are some other ways that people can have their funds drained even when not directly choosing to connect their wallet to a suspicious website.
In an Aug. 5 X (formerly Twitter) thread, user StockEd stated that they mistakenly clicked on a spoof LooksRare NFT marketplace website and didn’t connect their hot wallet but still had more than $300,000 worth of NFTs stolen.
Alarmingly, the fake website was promoted at the top of Google’s search results as a paid ad, which has been a long-running issue yet to be solved by Google.
Was just talking with @bax1337 earlier today about how Google Ads phishing scams are out of control. Surprised no one has organized a class action against them. Have easily seen 8 figures stolen from them recently.
— ZachXBT (@zachxbt) August 5, 2023
There was much debate in the comments as to how the victim could have their NFTs drained without connecting their wallet.
Some argued that malware enabling access or control to the victim’s computer was at play, while others suggested the scam website may have had a hidden MetaMask wallet signature link somewhere that was accidentally clicked.
Related: Zero transfer scammer steals $20M USDT, gets blacklisted by Tether
On the same day, Web3 anti-scam platform Scam Sniffer tweeted that someone else had also lost $446,000 worth of Bitcoin (BTC), Ether (ETH) and Pepe (PEPE) to a phishing link.
Scam Sniffer indicated that the Pink drainer address was behind the phishing hack, while ZachXBT highlighted that it may have happened via two fake airdrop links promoted by Avalanche and QwQiao — two accounts that were hijacked over the previous 24 hours.
These two happened in past 24 hrs pic.twitter.com/KV5Kaxhihf
— ZachXBT (@zachxbt) August 5, 2023
In the FBI’s warning, it outlined a handful of tips for people to protect themselves from these types of scams.
The FBI emphasized that people should research and “vet any opportunity,” such as surprise NFT drops or giveaways, before clicking on links. It also urged people to double-check for any discrepancies in website URLs or account names to avoid falling victim to impersonators.
Magazine: Deposit risk: What do crypto exchanges really do with your money?