Flash Report: NFT Drainer Claims to Bypass Cryptocurrency Wallet Update
ZeroFox Intelligence has observed an emerging threat being advertised as an NFT drainer and has released the following information as of September 21, 2022.
Key Findings
- A credible dark web actor is advertising an updated non-fungible token (NFT) drainer aimed at the latest version of MetaMask, indicating a burgeoning market for more sophisticated attack vectors aimed at the NFT user base.
- Threat actors’ shift to more sophisticated exploits tracks with the increase in general awareness and popularity of NFTs, which provide a lucrative target base.
Analyst Commentary
A credible dark web actor is advertising an updated NFT drainer aimed at the latest version of MetaMask, indicating a burgeoning market for more sophisticated attack vectors aimed at the NFT user base. In early September 2022, well-regarded threat actor “jezabeth” announced a new NFT drainer capable of draining ERC-20, ERC-1155, ERC-721, and Ethereum (ETH) tokens on popular Russian language dark web forum exploit[.]in; the actor is selling this drainer for 8 ETH, which is valued at about USD 10,790.
- According to the actor, the victim’s NFTs are accessed by employing Seaport contract signatures, which drain tokens without the user being prompted to pay transaction fees; the actor emphasizes that this tool bypasses the latest MetaMask update.
Crypto and NFT-related scams have risen in line with increased adoption over the last 18 months, as threat actors continue to develop new techniques to exploit the lack of regulation within the space. NFT drainers are one example of such techniques and are widely leveraged by scammers due to their relative ease of acquisition; multiple versions of NFT drainer source code remain readily available on open source repositories such as GitHub, as well as within private messaging channels in Telegram.
NFT drainers are typically designed to replicate existing NFT projects and their respective websites, leveraging malicious smart contracts to steal the contents of a victim’s crypto wallet. Threat actors will often deploy drainers by:
- Creating scam projects of their own to build hype and collect prospective investors, culminating in a fake minting website.
- Hacking Discord channels and Twitter profiles of existing projects to insert malicious “surprise mints” or other enticing links to dupe communities.
- Inserting phishing links on the social media profiles of legitimate projects and notable influencers.
All methods ultimately require user interaction with a malicious smart contract. Often, scammers will also employ the use of social media bots to artificially grow a false account to appear legitimate, as well as to spread phishing messages.
NFT projects and their followers are particularly vulnerable to scams due to the speculative nature of the NFT market and many users seeking potentially-lucrative gains. Hyped projects have often sold out within hours—or in some cases minutes—enabling scammers to capitalize on investors reacting quickly to project launches and follow-up offerings.
To protect users from wallet-draining scams, some cryptocurrency wallets have started to introduce a layer of security asking for access permission instead of automatically granting it in an effort to allow users time to reconsider their options. However, threat actors like “jezabeth” are innovating to counter the defenses of wallets like MetaMask.
Recommendations
Users should always keep up to date with the most current security protocols, including:
- Always check wallet transactions and approvals when interacting with contracts.
- Do not click suspicious or unexpected links sent as direct messages or on social media channels.
- Never share private keys or seed phrases. Ensure these are stored offline and not on devices or cloud storage.
- Use a cold storage hardware wallet to store assets; never keep assets in hot wallets that are used to interact with contracts.
- Avoid purchasing hardware wallets from third-party resellers or pre-owned wallets, as these may have already been compromised.
- Ensure due diligence is carried out on any project before investing; check the profile and background of a project and its founders.
For more from ZeroFox Intelligence, download the Quarterly Threat Landscape Report.
Adam Darrah
Adam Darrah is an experienced intelligence analyst skilled in putting international affairs into a cultural and political context. Before joining ZeroFox, Adam served as Director of Intelligence at Vigilante and InfoArmor. Previously, he spent eight years working for the U.S. government coordinating across several federal agencies to fill critical knowledge gaps on national security priorities, which helped form his specialization in Central Eurasian political, security and intelligence issues. Adam holds a bachelor’s and master’s degree in Russian from the University of Utah and the University of Arizona, respectively. He is married to his high school sweetheart and has three children. When he is not working, Adam enjoys spending time outside in the beautiful Black Hills of South Dakota with family and friends.
Tags: Breaches, Flash Report, Threat Intelligence