August 16, 2022by Adi Bleih

NFT Scamming on the Underground


Blockchain products are ripe with cybercriminals and scammers chasing cash. But the bad actors and hackers targeting cryptocurrency and non-fungible tokens may not be whom you expect.

NFTs are digital products, such as images or songs, that use the blockchain to represent proof of ownership. Creators sell NFTs on virtual markets that accept cryptocurrency like Ethereum instead of dollars. Buyers receive a digital certificate that defines a set of ownership rights.

The NFT market picked up steam in 2020, having grown by more than 300% from the previous year and moving millions of dollars’ worth of cryptocurrency. By some calculations, NFT transactions generated more than $40 billion by the end of 2021.

With so much money flowing in NFT markets, we can fully expect cybercriminals to be involved. So how are they trying to take a cut?

Most NFTs are part of the Ethereum blockchain (though other blockchains have implemented their version of NFTs). Hacking the blockchain is an endeavor far out of reach for the typical cybercriminal, therefore, the main tactics used to gain access to crypto wallets are malware injection and social engineering.

This research will review the discourse on NFT scamming and highlight some of the attackers' methods. Given the rise of NFT-related cybercriminal activity, it's essential for security professionals to understand the threats and tactics used to help better protect individuals who rely on NFTs for legitimate purposes.


From June 2021 to June 2022, the number of posts dealing with NFT scamming rose by roughly 27% per month as the NFT market heated up. However, since NFTs have cooled off due to the general cryptocurrency market crash that began last November, discourse on the dark web about NFT scamming declined from the peak and primarily plateaued.

Figure 1: NFT scamming discourse on the dark web

On the other hand, if we look at the discourse of threat actors' exploits within the crypto market in general, there is no difference from H1H2-2022 2021 to H2H1-20212022.

This result claims that NFT scamming is gaining popularity among cybercriminals. One of the main reasons for this increase is the influence of the stock and crypto markets.

In this article, we look at various examples as described below, focusing on social engineering techniques and related information we gathered for you from underground forums to shed more light on how attackers are targeting NFTs.

fake mints

"Minting" an NFT is the process by which a digital asset is published on the blockchain to make it purchasable. In these fake minting schemes, threat actors airdrop minted NFTs to the wallets of high-activity profile accounts, making it appear that the celebrities had minted the NFTs on the blockchain. In this way, many buyers who monitor specific wallets for new activity (to anticipate mass interest and the future value of a particular NFT) can be scammed or misled to purchase NFTs that have a lower value than they think.

These scams involve artist impersonation to pump-and-dump fraud (inflating the price of an owned asset through false and misleading positive statements).

Figure 2: NFT scam website

In the example above, a threat, the actor offers his services by creating a fake NFT mint site, domain hosting, and site promotion (future followers and mass interest).

Figure 3: Fake NFT mint


Another common social engineering tactic is to trick users into handing over sensitive crypto wallet details by creating sites and apps that mimic legitimate brands. Scammers often share these fake NFT marketplaces on deep and dark web platforms, Telegram, Discord, and underground forums.

The "Metamask" scam is a notable phishing scam targeting Metamask crypto wallet users. Users are told that they are locked out from their accounts and must enter their digital wallet login credentials, such as secret recovery phrases, private keys, and other related information to restore access. However, by doing so, they will expose the log-in credentials and give access to their accounts to the scammers behind these fake pages. With this information in their possession, the cybercriminals gain access to the crypto wallets and the funds stored therein.

Figure 4: In the example above, the threat actor offers an NFT phishing page for $200. The exciting part of this post is the Metamask popup shown with the phishing page service.

The level of resemblance with the actual pages is impressive, and it takes a keen eye to spot slight differences in the URL or general layout.

As shown in the example below, a well-built Metamask scam was offered for sale by a threat actor. The actor shared photos to lay a foundation for his work, as we see one attached to the post. The asked price is $250, a bit low due to the actor's reputation in the specific forum.

Figure 5: NFT Phishing site for sale for $250


As with each sector in the cybercriminal world, there are different levels of skills, resources, and abilities to perform efficient attacks. Most of the time, individual work is not enough. In those cases, teams perform jobs or more by requiring new members, each with a different skill, to implement a well-made planned cyber-attack. We discovered several posts recruiting experienced social engineers to target NFTs.

Figure 6: A threat actor is looking to hire people with different skills and experience in the social engineering community, focusing on NFT sites. Requirements are a verified Discord (dc) account and prior experience with social engineering. The actor also mentioned he would guide the new members on the job, where the salary could be from $500 to $5000 a week.

Figure 7: Another example of a threat actor recruiting for a new NFT scam project. The actor offers guidance and teaching of social networking, work, messaging, and design. The project inputs are from the Redline Stealer, a popular malware that harvests information from browsers such as saved credentials, autocomplete data, credit card information, and cryptocurrency.

These examples reflect how NFT became a hot trend in the underground and how threat actors use social engineering and malware to steal crypto wallets.


NFTs are an appealing target for scammers for two reasons. First, they attract many speculative investors who believe that they can make easy money, many of whom are prone to fall for scams. Second, because cryptocurrency is a financial system independent of government regulation, there is no central authority protecting consumers, and it is not simple for victims to recover losses (unlike, for example, with credit card fraud).

Ultimately, criminals follow the money. NFTs and their owners are still popular enough to be targeted by scammers. And whenever the next big thing arises, we anticipate that the criminals will be there as well.

You may also like

November 09, 2022

Here’s how scammers commit refund fraud to steal from retailers

Read more

October 26, 2022

How gift cards are used to launder money

Read more

October 24, 2022

Generating “grift” cards is free cash for cybercriminals

Read more