fake

Scam alert: $300K stolen by fake Blur airdrop websites

Unsuspecting users looking to claim Blur token airdrops have had funds stolen by a number of fake websites.

Scammers continue to prey on nonfungible token (NFT) users looking to claim Blur (BLUR) token airdrops through numerous scam websites.

According to data from TrustCheck, over $300,000 has been stolen from unsuspecting users that have linked wallets to malicious websites.

The legitimate Blur platform is a newcomer to the NFT marketplace space, making waves in the industry with booming user numbers and trading volume directly resulting from the platform’s three-phase airdrop incentive scheme. 10% of Blur’s total token supply was distributed to users based on their trading activity in its second token airdrop scheme from Feb. 15.

The first airdrop was retroactive, awarding tokens to anybody who traded an NFT on Ethereum in the six months leading up to the platform’s launch in October 2022. The second airdrop awarded tokens to users who listed NFTs before Dec. 6, while the third awarded tokens to users placing bids on the platform after the feature went live.

Related: What is a phishing attack in crypto, and how to prevent it?

Given the incentive program’s mechanics, many users have been looking to claim BLUR tokens across the NFT ecosystem. This created an opportunity for scammers to promote fake airdrop links to malicious websites.

Data shared with Cointelegraph from Ethereum-based Web3 browser security extension TrustCheck, reveals that over $300,000 worth of funds have been stolen from 24 different scam websites since Feb. 15. A handful of these websites are still functional, with users warned to be wary when connecting wallets.

A screenshot of a fake website looking to scam users attempting to claim BLUR token airdrops. Source: TrustCheck

The websites use smart contracts that automatically prompt transactions when users connect their Ether (ETH) wallets. All the ETH from the wallet is then drained to a specific address, which has allowed TrustCheck to keep tabs on the number of funds stolen to date.

Tools like TrustCheck will flag suspicious websites and transactions, warning Web3 users of potential fake websites and smart contracts.

Blur has also been in the spotlight due to reports of users carrying out NFT wash trading in order to cash in on its token airdrop incentive scheme. However, data analytics carried out by data scientist Hildebert Moulié on Dune suggests that Blur’s NFT trading volumes are legitimate.

Fake websites and phishing attacks are commonplace across the internet, while scammers continue attempts to drain funds through Web3 functionality. In February 2023, a URL masquerading as the ETHDenver conference website was linked to a notorious phishing wallet address that has stolen over $300,000 to date.

In late 2022, scammers also preyed on FTX investors by using phishing websites scrambling to recoup funds after the implosion of the failed cryptocurrency exchange.

Fake Ethereum Denver website linked to notorious phishing wallet

Hackers continue to create fake Web3-enabled websites to fleece unsuspecting victims’ browser-based wallets, with ETHDenver being the latest victim.

A fake website of the popular Ethereum Denver conference is the latest phishing target of a red-flagged smart contract that has stolen over $300,000 worth of Ether (ETH).

The popular conference saw its website duplicated by hackers this week in order to trick users into connecting their MetaMask wallets. According to Blockfence, which identified the fraudulent website, the smart contract has accessed more than 2,800 wallets and stolen over $300,000 over the past six months.

ETHDenver also issued a notice to its followers on Twitter warning of the malicious website.

Blockfence CEO Omri Lahav told Cointelegraph that users were prompted to connect their MetaMask wallets via the usual “connect wallet” button. The website prompts a transaction that, if approved, carries out the malicious function and steals the users’ funds.

Blockfence’s research team identified the incident while tracking different trends in the industry. Lahav said that the smart contract executing the scam had stolen over 177 ETH since its deployment midway through 2022:

“Since the smart contract was deployed almost six months ago, it’s possible that it was used on other phishing websites.”

Hackers had gone as far as paying for a Google advertisement to promote the malicious website’s URL, banking on search trends being high, with ETHDenver taking place on Feb. 24 and 25. The fake website appeared second on a Google search, above the actual ETHDenver website.

As Cointelegraph previously reported, hacks and scams continue to be commonplace in the cryptocurrency ecosystem. 2022 saw over $2.8 billion of cryptocurrency stolen through a variety of hacks and exploits.

FBI issues public warning over fake crypto apps

Fake crypto apps appear to be part of an ongoing game of whack-a-mole with app store operators.

The United States Federal Bureau of Investigation (FBI) has issued a public warning about fraudulent cryptocurrency applications, which have swindled U.S. investors out of an estimated $42.7 million so far. 

According to an advisory published on Monday by the securities and intelligence agency, cybercriminals have created apps using the same logos and identifying information as legitimate crypto companies to defraud investors. The FBI noted that 244 people had already fallen victim to these fake apps.

One case saw cyber criminals convincing victims to download an app that used the same logo as an actual U.S. financial institution, encouraging them to deposit cryptocurrency into wallets purportedly related to their accounts.

When victims attempted to withdraw from the app, they would be asked to pay taxes on their withdrawals. However, this was just another ruse to part more funds from victims, as even if they made the payments, the withdrawals would continue to be unavailable.

Around $3.7 million was defrauded from 28 victims between December 2021 and May 2022, said the FBI.

Another similar operation saw cybercriminals operating under the company name “YiBit,” defrauding at least four victims of around $5.5 million between October 2021 and May 2022, using a similar method of deceit.

A third case involved criminals operating under the name “Supay” in November 2021. They defrauded two victims by encouraging them to deposit cryptocurrency into their wallets on the app, which would then be frozen unless more funds were deposited.

Warnings about fraudulent apps have also made the rounds on Crypto Twitter.

One user said a friend recently fell victim to a scam that started on the online messenger service WhatsApp, which encouraged the victim to download a fake crypto app and load funds into the app’s wallet. A week later, the crypto app vanished.

Another user says they have fallen victim to a fake Ledger Live crypto wallet app, reportedly called “Ledger Live Plus,” in the Microsoft app store. The user claims the fraudulent app has already stolen $20,000 from him. 

Earlier this year, cybersecurity firm ESET uncovered a “sophisticated scheme” that would distribute Trojan applications disguised as popular cryptocurrency wallets. These applications would then attempt to steal crypto assets from their victims. 

Related: More than $4.7M stolen in Uniswap fake token phishing attack

Last year, a scam cryptocurrency app dressed up as a mobile Trezor app on Apple’s App Store reportedly led to one user losing $600,000 in Bitcoin (BTC) at the time.

A report from the United States Federal Trade Commission (FTC) in June 2022 found that as much as $1 billion in crypto has been lost to scammers since 2021, with nearly half of all crypto-related scams originating from social media platforms.

The FBI has recommended crypto investors be wary of unsolicited requests to download investment apps, verify an app (and the company) is legitimate, and treat apps with limited and/or broken functionality “with skepticism.”