ZeroFox Intelligence has observed an emerging threat being advertised as an NFT drainer and has released the following information as of September 21, 2022.
- A credible dark web actor is advertising an updated non-fungible token (NFT) drainer aimed at the latest version of MetaMask, indicating a burgeoning market for more sophisticated attack vectors aimed at the NFT user base.
- Threat actors’ shift to more sophisticated exploits tracks with the increase in general awareness and popularity of NFTs, which provide a lucrative target base.
A credible dark web actor is advertising an updated NFT drainer aimed at the latest version of MetaMask, indicating a burgeoning market for more sophisticated attack vectors aimed at the NFT user base. In early September 2022, well-regarded threat actor “jezabeth” announced a new NFT drainer capable of draining ERC-20, ERC-1155, ERC-721, and Ethereum (ETH) tokens on popular Russian language dark web forum exploit[.]in; the actor is selling this drainer for 8 ETH, which is valued at about USD 10,790.
- According to the actor, the victim’s NFTs are accessed by employing Seaport contract signatures, which drain tokens without the user being prompted to pay transaction fees; the actor emphasizes that this tool bypasses the latest MetaMask update.
Crypto and NFT-related scams have risen in line with increased adoption over the last 18 months, as threat actors continue to develop new techniques to exploit the lack of regulation within the space. NFT drainers are one example of such techniques and are widely leveraged by scammers due to their relative ease of acquisition; multiple versions of NFT drainer source code remain readily available on open source repositories such as GitHub, as well as within private messaging channels in Telegram.
NFT drainers are typically designed to replicate existing NFT projects and their respective websites, leveraging malicious smart contracts to steal the contents of a victim’s crypto wallet. Threat actors will often deploy drainers by:
- Creating scam projects of their own to build hype and collect prospective investors, culminating in a fake minting website.
- Hacking Discord channels and Twitter profiles of existing projects to insert malicious “surprise mints” or other enticing links to dupe communities.
- Inserting phishing links on the social media profiles of legitimate projects and notable influencers.
All methods ultimately require user interaction with a malicious smart contract. Often, scammers will also employ the use of social media bots to artificially grow a false account to appear legitimate, as well as to spread phishing messages.
NFT projects and their followers are particularly vulnerable to scams due to the speculative nature of the NFT market and many users seeking potentially-lucrative gains. Hyped projects have often sold out within hours—or in some cases minutes—enabling scammers to capitalize on investors reacting quickly to project launches and follow-up offerings.
To protect users from wallet-draining scams, some cryptocurrency wallets have started to introduce a layer of security asking for access permission instead of automatically granting it in an effort to allow users time to reconsider their options. However, threat actors like “jezabeth” are innovating to counter the defenses of wallets like MetaMask.
Users should always keep up to date with the most current security protocols, including:
- Always check wallet transactions and approvals when interacting with contracts.
- Do not click suspicious or unexpected links sent as direct messages or on social media channels.
- Never share private keys or seed phrases. Ensure these are stored offline and not on devices or cloud storage.
- Use a cold storage hardware wallet to store assets; never keep assets in hot wallets that are used to interact with contracts.
- Avoid purchasing hardware wallets from third-party resellers or pre-owned wallets, as these may have already been compromised.
- Ensure due diligence is carried out on any project before investing; check the profile and background of a project and its founders.
For more from ZeroFox Intelligence, download the Quarterly Threat Landscape Report.