Written by Tonya Riley
A scam network made up of thousands of fake Twitter accounts has impersonated legitimate NFT stores to scam users out of cryptocurrency, according to research published Thursday.
The report is just the latest indication that cryptocurrency-related scams are still running rampant on social media despite continued warnings from consumer protection watchdogs. It also raises new questions about what Twitter is doing to rid its platform of fake accounts, which the company’s new owner, Elon Musk, promised to get rid of or “die trying”.
Researchers at the threat intelligence firm Nisos found it between July 26 and Oct. 11 More than 3,000 Twitter accounts produced nearly 6,000 tweets linking to fake storefronts offering to mint new NFTs — non-fungible tokens — for free. Thousands of other fake accounts reinforced those tweets, according to researchers.
The fake NFT stores made victims share access to their wallets under the guise of creating a new NFT, allowing fraudsters to deplete the owner’s collection of NFTs along with other virtual currency pools.
NFTs, like bitcoin, are virtual assets that exist only on the blockchain. Because NFTs are unique and unable to be reproduced, they have gained value among collectors.
Researchers were unable to estimate how much fraudsters ran from their victims. Wallet addresses linked to fraudsters have “received hundreds of transactions ranging from tens to hundreds” since the scam began, according to an analysis by researchers with the assistance of cryptocurrency tracking firm Chainalysis.
Scammers gained victims’ trust by using similar account names and profile pictures to Twitter accounts on real NFT marketplaces. For example, researchers flagged the accounts @_Imaginry_Ones and @Imaginry_Ones_, riffs on @Imaginary_Ones, an NFT platform that has nearly half a million Twitter followers. In total, researchers found more than 500 domains used by the fraud network, all linked to a single IP address.
Researchers could not definitively say where the network originated, but all of the accounts that produced the original tweets followed three Indonesia-based accounts. The report only covers research up to Oct. 11, but researchers confirmed that the network is still active on the platform, as are many of the Twitter handles flagged in the report.
Twitter did not immediately respond to a request for comment.
The fraud ring that researchers at Nisos have identified is hardly an isolated incident. In May, Bloomberg reported about how scammers hijacked some Twitter accounts to pose as popular NFT projects and push credential-stealing apps.
“This is pretty much standard fare from what I’ve seen,” Satnam Narang, a researcher at cybersecurity firm Tenable who has studied cryptocurrency fraud, said of the Nisos report.
He pointed out that it is common for fraudsters to use secondary networks of accounts to quote-tweet the original tweet and spam users by tagging them, such was the case in the Nisos report. Display makes quote tweets more likely to be flagged for removal, but not the primary tweet with the storefront link.
The Nisos report raises a well-known concern from consumer protection watchdogs: social media platforms are a huge vector for cryptocurrency fraud. In fact, the FTC found that between January 2021 and March 2022, losses from cryptocurrency scams rose to over $1 billion, and nearly half of those victims originated from social media. (FBI stated losses from cryptocurrency-related fraud complaints for 2021 to $1.6 billion.)
In the past, social media-based scammers focused on so-called “giveaway” scams, where cybercriminals tell investors to send currency to a wallet address with the promise of doubling their returns when the money is actually stolen. Such scams often feign the involvement of high-profile cryptocurrency figures like Musk to add credibility to their scam.
But Narang says many fraudsters have moved towards tricking victims into connecting wallets to malicious programs, a much more effective way to steal victims’ assets.
While fraudsters like the one in the Nisos report didn’t rely on verified accounts to pull their marks, Narang said verified accounts often serve as a valuable tool for fraudsters, especially when trying to imitate big names in the industryThat remains true even as Musk’s purchase of the company creates confusion about how the platform will verify users in the future.
“I know a lot of the focus has been around, ‘oh, scammers just want to spend $8 and buy verified accounts and use them to impersonate X, Y and Z,'” Narang said. “What I think has been lost in that whole equation is that [scammers] no need to go and buy these accounts right now. They are able to compromise existing verified accounts that have not paid any money to Twitter and turn them into fake accounts.”
Making verification available to users could only make it easier for fraudsters to pull off such exploits, he says.
Cryptocurrency scammers have even latched onto the confusion over Elon Musk’s verification plans, with a scam offering users Twitter Blue and an NFT for free if they linked their wallets. The scam reached 35,000 RT before it was removed.
Even with the uncertainty surrounding Twitter’s account verification policies, cryptocurrency scammers are unlikely to be going anywhere. “Twitter is a fundamental communication platform for many of these projects,” Narang said. “So, it obviously makes sense that these scammers would be on Twitter because that’s where cryptocurrency users live.”