The U.S. Federal Bureau of Investigation (FBI) is warning about cyber crooks masquerading as legitimate non-fungible token (NFT) developers to steal cryptocurrency and other digital assets from unsuspecting users.
In these fraudulent schemes, criminals either obtain direct access to NFT developer social media accounts or create look-alike accounts to promote "exclusive" new NFT releases, often employing misleading advertising campaigns that create a sense of urgency to pull them off.
"Links provided in these announcements are phishing links directing victims to a spoofed website that appears to be a legitimate extension of a particular NFT project," the FBI said in an advisory last week.
The replica websites urge potential targets to connect their cryptocurrency wallets and purchase the NFT, only for the threat actors to siphon the funds and NFTs to wallets under their control.
"Contents stolen from victims' wallets are often processed through a series of cryptocurrency mixers and exchanges to obfuscate the path and final destination of the stolen NFTs," the agency said.
To mitigate the risks posed by such scams, it's recommended that users carry out due diligence and review social media accounts and websites to verify their legitimacy.
This includes a category called CryptoRom in which criminals use fictitious identities on dating apps and social media platforms to develop romantic relationships and build trust with victims, before introducing the idea of trading cryptocurrencies.
The operators are known to engage in initial conversation within the app with which they made initial contact with the target. Soon after, the chat is moved to a private messaging app such as Telegram or WhatsApp, where they encourage them to use fraudulent crypto websites or apps and make substantial investments.
"Criminals coach victims through the investment process, show them fake profits, and encourage victims to invest more," the FBI said. "When victims attempt to withdraw their money, they are told they need to pay a fee or taxes. Victims are unable to get their money back, even if they pay the imposed fees or taxes."
The romance-centered social engineering attacks have also gotten a facelift in recent months, with Sophos identifying the threat actors' use of generative AI-based tools to lend more credibility to conversations with the victims on messaging apps and persuade them to download sketchy apps on the Apple App Store and Google Play Store.
"These applications are able to get past review by Apple and Google by modifying remote content associated with the apps after they are approved and published to the stores," the cybersecurity company said.
"By simply changing a pointer in remote code, the app can be switched from a benign interface to a fraudulent one without further review by Apple or Google, unless a complaint is filed."