The Federal Bureau of Investigation (FBI) recently issued a warning to potential NFT buyers to beware of bogus websites that use “drainer smart contracts” to steal from crypto wallets.
The scammers either hack social media accounts belonging to real NFT projects or create near-identical profiles capable of misleading casual observers, the FBI says. They then use these accounts to promote fake NFT releases. The posts use compelling language that often stresses terms like “limited supply” to create a false sense of urgency.
The links on the posts can direct potential victims to phishing websites that have been made to look like extensions of actual NFT projects.
Once on the website, visitors are asked to connect their crypto wallets to purchase the bogus NFTs. However, if anyone falls for the scam and links their wallet, they give access to a smart contract designed to siphon any cryptocurrencies or NFTs stored in the wallets.
According to the agency, the scammers then move the stolen assets through several crypto mixers and exchanges to conceal their origin and destination.
The FBI report comes at a time when sales of stolen NFTs are occurring at a faster rate. According to cybersecurity firm PeckShield, stolen NFTs are usually sold within a span of just 165 minutes, and more than 67% are sold on the marketplace Blur. More than 19 percent are sold on OpenSea.
Roughly $1.73 million worth of NFTs were stolen in July — significantly less than the $16.2 million that was reported stolen in February.
Given the growing prevalence of these attacks, the FBI issued several tips for crypto users to protect themselves. Chief among them was the need to thoroughly research any so-called “surprise” opportunity before taking it up.
Social media accounts promoting airdrops or NFT sales are also suspect. The FBI advises that checking out different spellings, the number and quality of followers, and account histories, could help users determine whether social media accounts were genuine or fake.
The agency also cautioned crypto users to confirm whether any websites they visit are real or cloned.