As NFTs continue to rise in popularity, we see an emergence of various related scams: rug pulls, fake NFT minting sites, customer support impersonation, bidding scams, fake offers, and counterfeit NFTs.
This article details a particularly insidious scam on the rise, the bait-and-switch contract. This form of phishing prompts users to sign a contract, usually under the pretense of a legitimate transfer of ownership, which then grants control of the user’s entire wallet to the attacker.
We have identified several distinctive characteristics that should serve as red flags, both for retail users who are attempting to trade NFTs safely and for institutions and crypto platforms as they look to the surface and investigate suspicious transfers.
Thank you to Chris Hoffmeister for writing this article. Full original link, including graphics, here.
Let’s look at how one NFT phishing scam played out, step by step:
1. The attacker sets up their wallet. The attack seeds or initializes the attack wallet with a deposit, often through a mixer, such as Tornado.cash. Often, TRM investigators will see an initial deposit to the attack wallet made by the attacker themselves. Sometimes this is to test the wallet, test the contract, or, depending on the asset, to initialize the wallet.
For example, a TRON wallet requires a balance of TRX before it will function. Tether can be be sent to a wallet address without it, but it will not show up in the balance and cannot be spent until the owner puts some TRX in the wallet first.
2. The attacker creates a contract. The bait-and-switch contract includes code functions such as “atomicMatch_” and “setApprovalForAll,” which may allow an attacker to transfer all of the victims tokens from their wallet.
3. The attacker deploys a contract. To make sure it works, the attackers test their own contract by calling it; in this case, by signing a transaction from the attack wallet. This contract may take different forms. In the most straightforward thefts, the contract prompts victims to approve the private sale (transfer) of an NFT to the attacker’s wallet; price: 0 ETH.4. The attacker phishes the victim. The actual phishing can take different forms. Emails, DMs in messaging apps, pop-ups on Discord, Telegram, and other fora, in-wallet ads through MetaMask, fake sites with wallet connections, impersonations of support staff on NFT markets. Ultimately, the victim is always asked to provide private keys or sign approval contracts. These attacks are successful because buyers and sellers are pressured to act fast to collect valuable NFTs. In this case, the attacker prompted the victim to initiate a peer-to-peer trade by signing... you guessed it, a bait-and-switch contract.
5. The attacker steals the NFT. The victim may lose more. Some phishing contracts authorize the attacker to transfer the NFT and all of the victim’s assets. The attacker transfers the NFT, but does not pay the victim.
6. The attacker flips the NFT on a legitimate market. Fungible assets (like ETH) can be laundered and cashed out for fiat; NFTs cannot. So, in most cases, the attacker has to convert the stolen property to something they can use.
7. The attacker gets paid in ETH (in this example). A buyer on the market purchases the NFT in exchange for ETH — unaware the NFT was transferred for nothing from the victim’s wallet shortly before being sold.
8. The attacker launders their illicit proceeds. After getting paid in ETH, the attacker shifts the proceeds to wallets used for money laundering. These wallets will often have several deposits of ETH from NFT markets and one or two big withdrawals of consolidated funds.
9. The attacker cashes out. Cashing out follows the usual routes — often a blend of mixers, high-risk exchanges, p2p platforms, transaction- and chain-hopping, and conversion to stablecoins.
Many users need to analyze the details of a contract before they sign a transaction, particularly in an auction or market environment where speed vs. slowness may mean the difference between winning a bid or losing out on a potentially valuable NFT.
However, the phishing scam starts, whether a DM, email, pop-up, or ad — it ends with the victim signing a contract granting the attacker access to their wallet. Make sure to check our Safety practices to avoid NFTs scams before engaging.