Blockchain, Digital Assets, DLT, Network Security, NFTs, Risk Management, Social Media

Another Day, Another Phishing Exploit Seeking NFTs

On July 15, 2022, several of DeeKay Kwon’s Twitter followers were the latest victims of scammers feasting in the NFT space.  DeeKay is an animator and part of a growing number of innovative artists developing the Digital Art Movement spurred on by NFTs.  One of DeeKay’s admirers is Calvin Cordozar Broadus Jr. also known as Snoop Dogg also known as Cozomo de’ Medici – who acquired DeeKay’s “Life and Death” for “$1m USD, or 310 ETH.”  According to this very important art collector, “all of this [NFT profile picture] mania is bringing massive attention to NFT. And when they come in for an azuki, punk, bored ape, or their choice of “culture token” . . . But then stumble across an @XCOPYART, a @fewocious, a @deekaymotion . . . That’s when one realizes the true power DIGITAL art can have, beyond any traditional art they have ever seen before.”

DeeKay reported his Twitter account was hacked and “and the hacker has been tweeting a fake mint site.  I reacted to it ASAP and spread the word but could not stop the damage in time.”  An unknown number of DeeKay’s over 179,000 followers clicked on a phishing link found in the below fake Tweet – a Tweet that purportedly brought them to a new collection from the artist:

According to Deekay, “[t]he fake mint site was made two weeks prior, 100% copied my original website. I assumed he studied my time when I am inactive too.”   While trying to claim the purported free NFTs on the fake site, victims instead approved transactions granting the scammer access to their wallets and allowing the removal of various digital assets. It is not yet fully known how many NFTs or other crypto assets were stolen from Deekay’s Twitter followers.  Most reports currently peg the number at $150,000 worth of digital assets. 

DeeKay has been trying to “work something out” with those have been scammed.  For example, one victim was gifted “something special” by DeeKay to “help ease” his loss.  Interestingly, DeeKay recognizes the problem with reimbursing victims given that it “also encourages hackers to keep doing their thing since I am the one covering the mess. Part of me says reimbursement should not be a standard way to react, and another part of me says I should still find a way to compensate and find a balance.”  This is no different than the problem caused by insurers who continually reimburse ransomware victims and why ransomware payments should be self-insured.

DeeKay’s Twitter phishing scam comes on the heels of another phishing exploit days earlier targeting Uniswap liquidity providers that used a similar scheme but obtained a much larger $8.6 million in crypto assets.  As reported in Crypto Briefing, the Uniswap fake site “instructed the victims to claim the malicious UNI tokens as a reward for providing liquidity on the exchange, but when the victims agreed to the claim, they inadvertently approved a transaction that granted the attacker access to their wallets. From there, the attacker could make token transfers to drain their wallets.”

The phishing technique used in these scams is relatively easy to pull off given most folks still click on links without really thinking and many users of crypto wallets such as MetaMask have no clue as to what they are really providing consent for when clicking on the consent button.  After going to what appears to be a genuine site, they just assume they are obtaining what they are pitched as the reason for going to the site in the first place, namely freebies of some sort.  In a similar way an email address can be spoofed in a phishing exploit, consents can say whatever a scammer wants it to say. 

Whether it’s DeeKay’s Twitter followers or Uniswap’s liquidity providers, these pools of potential victims are publicly known and easily reached by scammers.  One way of getting away from this vulnerable crowd is by using multiple wallets and intermediaries such as fine art galleries that can work with collectors to improve their security hygiene.  More to the point, until art galleries become a mainstay part of the Digital Art Movement, these sort of scams will continue to proliferate.

UPDATE: July 20, 2022

On July 19, 2022, DeeKay let everyone know he was targeted again – likely by way of another phishing exploit. He suggested that his collectors be aware that he would “NEVER do a free mint.”