Thousands of fake Twitter accounts push NFT scams to steal cryptocurrency
Written by Tonya Riley
A fraud network consisting of thousands of fake Twitter accounts has impersonated legitimate NFT stores to scam users out of cryptocurrency, according to research published Thursday.
The report is just the latest indication that cryptocurrency-related scams continue to abound on social media despite continued warnings from consumer protection watchdogs. It also raises new questions about what Twitter is doing to rid its platform of fake accounts, which the company’s new owner, Elon Musk, has vowed to get rid of or “die trying.”
Researchers at threat intelligence firm Nisos found that between July 26 and October 11, more than 3,000 Twitter accounts produced nearly 6,000 tweets linking to fake storefronts offering to create new NFTs — non-fungible tokens — for free. Thousands of other fake accounts amplified those tweets, according to researchers.
The fake NFT stores made victims share access to their wallet under the guise of creating a new NFT, allowing fraudsters to drain the owner’s collection of NFTs along with other virtual currency funds.
NFTs, like bitcoin, are virtual assets that exist only on the blockchain. Because NFTs are unique and cannot be reproduced, they have gained value among collectors.
Researchers were unable to assess how much fraudsters were defrauding their victims. Wallet addresses linked to scammers have “received hundreds of transactions ranging from tens to hundreds of dollars” since the scam started, according to an analysis the researchers did with the assistance of cryptocurrency tracking firm Chainalysis.
Scammers gained the trust of victims by using similar account names and profile pictures to the Twitter accounts of genuine NFT marketplaces. For example, researchers flagged the accounts @_Imaginry_Ones and @Imaginry_Ones_, riffs on @Imaginary_Ones, an NFT platform that has nearly half a million Twitter followers. In total, researchers found more than 500 domains used by the fraud network, all linked to a single IP address.
Researchers could not definitively say where the network originated, but all of the accounts that produced the original tweets followed three Indonesia-based accounts. The report only covers research up to October 11, but researchers confirmed that the network is still active on the platform, as are many of the Twitter handles flagged in the report.
Twitter did not immediately respond to a request for comment.
The fraud ring identified by researchers at Nisos is hardly an isolated incident. In May, Bloomberg reported how scammers hijacked some Twitter accounts to pose as popular NFT projects and push credential-stealing apps.
“This is pretty much standard fare from what I’ve seen,” Satnam Narang, a researcher at cybersecurity firm Tenable who has extensively studied cryptocurrency fraud, said of the Nisos report.
He pointed out that it is common for fraudsters to use secondary networks of accounts to quote-tweet the original tweet and spam users by tagging them, as was the case in the Nisos report. Display makes quote tweets more likely to be flagged for removal, but not the primary tweet with the storefront link.
The Nisos report raises a well-known concern of consumer protection watchdogs: social media platforms are a major vector for cryptocurrency fraud. In fact, the FTC found that between January 2021 and March 2022, losses from cryptocurrency fraud rose to over $1 billion and nearly half of the victims came from social media. (The FBI cited losses from cryptocurrency-related fraud complaints for 2021 at $1.6 billion.)
In the past, social media-based scammers have focused on so-called “giveaway” scams where cybercriminals ask investors to send currency to a wallet address with the promise of doubling their returns when the money is actually stolen. Such scam figures often feign the involvement of high-profile cryptocurrency figures like Musk to add credibility to their scams.
But Narang says many fraudsters have moved towards tricking victims into connecting wallets to malicious programs, a much more effective way to steal victims’ assets.
While fraudsters like the one in the Nisos report didn’t rely on verified accounts to pull in their marks, Narang said verified accounts often serve as a valuable tool for fraudsters, especially when trying to emulate big names in the industry. That remains true, even if Musk’s purchase of the company creates confusion about how the platform will verify users in the future.
“I know a lot of the focus has been around like, ‘fraudsters are just going to spend $8 and buy verified accounts and use them to kind of impersonate X, Y and Z,'” Narang said. “What I think that gets lost in the whole equation is [scammers] no need to go and buy these accounts right now. They are able to compromise existing verified accounts that have not paid any money to Twitter and turn them into fraudulent accounts.”
Making verification available to users can only make it easier for fraudsters to pull off such feats, he says.
Cryptocurrency scammers have even latched onto the confusion over Elon Musk’s verification plans, with a scam offering users Twitter Blue and an NFT to users for free if they linked their wallet. The scam reached 35,000 RT before it was removed.
Even with the uncertainty surrounding Twitter’s account verification policies, cryptocurrency scammers are unlikely to get anywhere. “Twitter is a fundamental communication platform for many of these projects,” Narang said. “So, it naturally makes sense that these scammers are going to be on Twitter because that’s where cryptocurrency users live.”