Thousands of bogus Twitter accounts push NFT scams to steal cryptocurrency

A fraud network made up of thousands of bogus Twitter accounts has been impersonating legitimate NFT stores to swindle users out of cryptocurrency, according to research published Thursday.

The report is just the latest indication that cryptocurrency-related scams still run rampant on social media despite continued warnings from consumer protection watchdogs. It also raises fresh questions about what Twitter is doing to rid its platform of fake accounts, which the company’s new owner, Elon Musk, vowed to get rid of or “die trying.”

Researchers at the threat intelligence firm Nisos found that between July 26 and Oct. 11 more than 3,000 Twitter accounts produced nearly 6,000 tweets linking to sham storefronts that offered to mint new NFTs — non-fungible token — for free. Thousands of other bogus accounts amplified those tweets, according to researchers.

The fake NFT stores prompted victims to share access to their wallets under the guise of minting a new NFT, allowing scammers to deplete the owner’s collection of NFTs along with other virtual currency funds.

NFTs, like bitcoin, are virtual assets that exist only on the blockchain. Because NFTs are unique and unable to be recreated, they’ve gained value among collectors.

Researchers were unable to assess how much scammers bilked from their victims. Wallet addresses tied to scammers have “received hundreds of transactions ranging from tens to hundreds of dollars” since the scam begin, according to an analysis researchers did with the assistance of cryptocurrency tracing firm Chainalysis.

Fraudsters gained the trust of victims by using similar account names and profile pictures to the Twitter accounts of real NFT marketplaces. For instance, researchers flagged the accounts @_Imaginry_Ones and @Imaginry_Ones_, riffs on @Imaginary_Ones, an NFT platform that has nearly half a million Twitter followers. In total, researchers found more than 500 domains used by the fraud network, all tied to a single IP address.

Researchers couldn’t definitively say where the network originated, but all the accounts that produced the original tweets followed three Indonesia-based accounts. The report only covers research through Oct. 11, but researchers confirmed that the network is still active on the platform as are many of the Twitter handles flagged in the report.

Twitter did not immediately respond to a request for comment.

The scam ring identified by researchers at Nisos is hardly an isolated incident. In May, Bloomberg reported on how scammers were hijacking some Twitter accounts to pose as popular NFT projects and push credential-stealing apps.

“This is pretty much standard fare from what I’ve seen,” Satnam Narang, a researcher at cybersecurity firm Tenable who has extensively studied cryptocurrency scams, said of the Nisos report.

He pointed out that it’s common for scammers to use secondary networks of accounts to quote-tweet the original tweet and spam users by tagging them, such was the case in the Nisos report. Doing show makes it more likely that the quote tweets will be flagged for removal but not the primary tweet with the storefront link.

The Nisos report drives home a well-known concern from consumer protection watchdogs: social media platforms are a huge vector for cryptocurrency scams. In fact, the FTC found that between January 2021 and March 2022, losses from cryptocurrency fraud climbed to over $1 billion and nearly half of those victims originated from social media. (The FBI cited losses from cryptocurrency-related fraud complaints for 2021 at $1.6 billion.)

Previously, social media-based scammers focused on so-called “giveaway” scams in which cybercriminals tell investors to send currency to a wallet address with the promise of doubling their returns when in fact the money is stolen. Such scams often feign involvement from high-profile cryptocurrency figures such as Musk to add credibility to their scams. 

But Narang says that many scammers have moved toward tricking victims into connecting wallets to malicious programs, a much more efficient way of stealing victims’ assets.

While scammers such as the one in the Nisos report didn’t rely on verified accounts to pull in their marks, Narang said that verified accounts often serve as a valuable tool for scammers, especially when trying to impersonate big names in the industry. That remains true, even as Musk’s purchase of the company raises confusion over how the platform will verify users in the future.

“I know a lot of the focus has been around like, ‘oh scammers are just going to spend $8 and purchase verified accounts and use those to like impersonate X, Y and Z,” said Narang. “The thing I think that’s get lost in that whole equation is that [scammers] don’t have to go and purchase those accounts right now. They are able to compromise existing verified accounts that have not paid any money to Twitter and turn those into scam accounts.”

Making verification available to users could only make it easier for scammers to pull off such feats, he says.

Cryptocurrency scammers have even latched on to the confusion about Elon Musk’s verification plans, with one scam offering users Twitter Blue and an NFT to users for free if they linked their wallets. The scam reached 35,000 RT before being removed.

Even with the uncertainty surrounding Twitter’s policies on account verification, it’s unlikely cryptocurrency scammers are going anywhere. “Twitter is a basic communications platform for a lot of these projects,” Narang said. “So, it naturally makes sense that these scammers are going to be on Twitter because that’s where cryptocurrency users live.”