VivekRamachandran.eth
@vivekramac
Sat Mar 26 11:47:12 +0000 2022

After changing my profile to read "Web3 Junkie" and "Top 200 ENS Holder", and tweeting routinely about web3, NFT and crypto, I have become a target of NFT phishing/scam attacks 😡

Anatomy of a scam I was sent (read on)
👇👇👇

Step 1: Typically begins with a Twitter account with a high number of followers or a verified account + profile which claims to be co-founder of an NFT project e.g. Bored Apes, Mutant Apes etc.

These might be hacked/purchased/fake followers built up. https://t.co/zdSYMJKyfY

Step 2: These then post an opportunity to still be able to mint a Bored Ape or some other valuable NFT.

The sheet number of Retweets and Likes shows how flawed and fake social validation as a "security test" can be! https://t.co/ZvZ8FgP5yc

Step 3: These accounts or ones in their control TAG users who are active crypto/NFT enthusiasts - probably based on twitter profile or their tweets.

Here is my "good friend" Toni trying to help me get rich quick :) The account was created today. https://t.co/lF0nwRa7ZI

Step 4: Once a gullible user lands on the website - they try to make it as legitimate as possible! https://t.co/6Q6uchWQMG

If you have Metamask installed -- the scam site almost immediately triggers a connection.

I will play along and connect a test account.

[PLEASE DO NOT FOLLOW THESE STEPS IF YOU DO NOT KNOW WHAT YOU ARE DOING] https://t.co/PbqKj7QDvW

After the account is connected - it tries to trigger a ETH transaction to send crypto to the scammer's address .

You are not minting anything - just sending money to the scammer if you continue. https://t.co/aU8LqN3PYS

Copying the Scammer's address from the top right of the screenshot above, we can see that they have already made over USD 32K (10.23 ETH) as of this writing: https://t.co/a36tKPAvfq https://t.co/rwO1uL1uGx

If you look closely at the scammer's account - you will see that there are only "IN" transactions i.e. money sent to it and nothing was withdrawn.

This is typical - the scammer might keep this account active for some time and then withdraw to other mule accounts / use mixers

Unlike having to give KYC when opening a bank account, you don't even have to write anything to the blockchain to create a wallet!

Here is a simple python script to create wallet addresses for the curious - it's that easy! It's entirely offline! https://t.co/CO1mNovpMe

Moral of the story -- Web3, Crypto transactions etc. are in their nascency and security awareness has a long way to go.

Web2 phishing and social engineering attacks work just as well on Web3, if not better! So be cautious and vigilant!

Thank you - have a great weekend! 🙂

Sat Mar 26 11:47:24 +0000 2022