Uttar Pradesh chief minister Yogi Adityanath’s Twitter profile picture was replaced with a Bored Ape Yacht Club NFT last month by scammers to promote phishing sites for the Azuki NFT projects. Last year, even Prime Minister Narendra Modi’s Twitter account was briefly hacked and used by scammers to claim that India has embraced bitcoin as legal tender and would distribute it to citizens!
Scammers have found many creative tricks to steal NFTs and cryptos from Twitter users. They are hacking verified and unverified accounts to impersonate popular NFT projects to drive users to phishing sites, according to a research by Satnam Narang, Staff Research Engineer at Tenable.
“Many (scammers) are hijacking verified and unverified accounts on Twitter to impersonate popular NFT projects including Bored Ape Yacht Club (BAYC), Azukis, MoonBirds and OkayBears, to steal users’ crypto assets by driving them to phishing sites,” the research says.
Twitter mention scam
The research further says that scammers are leveraging Twitter mentions to capture attention. After hacking Twitter accounts, the scammers impersonate popular NFT and crypto projects. They then take to users in replies across hundreds of tweets in a bid to drive them to phishing websites.
Narang says that these phishing sites are “indistinguishable from legitimate NFT project sites making it difficult for the average cryptocurrency enthusiast to tell them apart”
ALSO READ | How not to be a crypto fool: 5-point guide
The phishing sites do not ask for conventional usernames and passwords. Instead, they convince users to connect their crypto wallets. Once connected, it becomes easy for scammers to transfer cryptos and NFTs held in these wallets.
Airdrop and free NFT scams
The scammers are also exploiting airdrops and free NFTs announcements by blue chip projects.
Recently, Bored Ape Yacht Club (BAYC), announced an airdrop of ApeCoin to holders of its various NFT projects such as BAYC, Mutant Ape Yacht Club and Bored Ape Kennel Club.
“Scammers saw this announcement as a ripe opportunity to target the interest in this upcoming airdrop and began creating campaigns by hijacking verified Twitter accounts to drive users to phishing sites,” the research says.
Scammers warn scammers!
In order to add legitimacy to their tweets, some scammers also issue scam alerts and use the threat of potential scammers as justification for why they “clean” or “close” comments or replies to their tweets. After seeding a few of these fake tweets, the scammers leverage a Twitter feature for conversations to restrict who can respond to their tweets, thus preventing users from warning others about the potential fraud.
What you should do
Narang suggests Twitter users can protect themselves from scams by seeing everything with some skepticism. Users should always be suspicious if someone is proactively tagging them, even from verified accounts.
Also, before clicking on any link or linking crypto wallet, one should search for the original and official project website.
“Operating from a place of skepticism is likely going to provide some cover for users when it comes to such scams. If you’re proactively tagged in a tweet, you should be highly suspicious of the motivations behind it, even if it comes from a verified Twitter account. Seek out the original project’s website and cross-reference links that you see being shared on Twitter with the ones on their official website,” said Narang.
“Scammers will also rely on urgency to try to add pressure on users in this space. If an NFT mint is happening, they’ll say that there are a limited number of spots left. This urgency makes it easier to take advantage of users not wanting to miss out on the opportunity. Ultimately, if something sounds too good to be true, it probably is,” he added.