reader comments
68 with
The FBI is advising potential NFT buyers to be on the lookout for malicious websites that use “drainer smart contracts” to surreptitiously loot cryptocurrency wallets.
The websites present themselves as outlets for legitimate NFT projects that provide new offerings. They’re promoted by compromised social media accounts belonging to known NFT developers or accounts made to look like such accounts. Posts frequently try to create a sense of urgency by using phrases such as “limited supply” or by referring to the promotion as a “surprise” or the result of a previously unannounced token minting.
“The spoofed websites invite victims to connect their cryptocurrency wallets and purchase the NFT,” FBI officials wrote in a Friday advisory. “The victims unknowingly connect their cryptocurrency wallets to a drainer smart contract, resulting in the transfer of cryptocurrency and NFTs to wallets operated by criminals.”
From there, the scammers often launder the stolen assets through a series of cryptocurrency exchanges or other services that mix them with assets of others, in an attempt to obfuscate the path and final destination of the stolen NFTs. Smart contracts are a type of computer coding that executes an agreement or transaction, usually involving the transfer of digital assets. Crooks often use smart contracts that contain bugs or loopholes that transfer millions of dollars in assets from one or more parties entering into the agreement.
NFT is short for non-fungible token. It most frequently refers to visual art in digital form such as images, but can at least theoretically encompass anything in digital form including music, video game items, or domain names. While the image or other media can be copied, a non-fungible—meaning unique or irreplaceable—token embedded in the media can’t be duplicated. The token is supposed to serve as proof that the holder is the rightful owner of the art. Some NFTs have sold for millions of dollars.
Internet Crime Complaint Center. FBI officials advise that people include any links, social media or cryptocurrency accounts, or domains used in the scam and use the keyword “NFTHack.”