How is phishing used in NFT theft?

As is the case in almost every industry, when a product begins to gain value, it becomes a target for criminals looking to make a profit. This has happened in the NFT industry, as some of these virtual works of art are now selling for tens of millions of dollars.

Cybercriminals are developing increasingly sophisticated ways to defraud victims of their assets, a particularly popular method being phishing. So how exactly is phishing used to steal NFTs?

What is Phishing?

Before we dive into how phishing is used to illegally harvest NFTs, let’s take a quick look at what phishing actually is.

You’ve probably heard of phishing before, as it’s an incredibly popular technique used to steal all kinds of sensitive data. In this process, cyber criminals use fake emails, SMS or websites to trick users into believing that they are interacting with an official entity.

For example, a malicious individual can send victims an “urgent” email that looks exactly like one would be sent by PayPal. The email may, for example, state that there has been unusual activity on the recipient’s account and that they should log into their account to check whether the activity was performed by them or not.

Once the victim clicked on the link provided in the email and logged into their account, they unknowingly provided the cybercriminal with their login details, granting them access to their funds. In all likelihood, the victim’s funds will already be depleted or spent by the time they realize what has happened.


Since many people don’t know what to watch out for to avoid phishing, this cybercrime method can have a good success rate. This is why it is now being used to scam people out of their precious NFTs. So let’s see exactly how phishing is used in NFT theft.

How is phishing used to steal NFTs?

You might think that the cryptography used in the process of purchasing and storing NFTs makes the whole system super secure. And, yes, it would definitely be difficult for a cybercriminal to access your NFTs without some of your sensitive data. But that is why phishing is used in the stealing process.

There are a number of ways online attackers can get their hands on your NFTs through phishing, and you all need to be vigilant to protect your assets.

1. Phishing via Discord

In recent years, social media site Discord has become a popular option for crypto and NFT enthusiasts to connect with each other and the artists or developers they love. But cybercriminals are only too aware of this and therefore use Discord to target unaware users.

Fake NFT giveaways are a particularly popular phishing method on Discord, in which scammers pose as NFT artists and convince users to divulge certain information so they can participate in the giveaway. These phishing scams will often require you to enter your private key or seed phrase to enter.

However, no legitimate scam will ever ask you for these two sensitive data. So if you’re ever asked to provide your seed phrase or private key to participate in a giveaway, back off immediately. There’s no reason your private key should be needed to receive any type of asset, so if asked, you’re most definitely on the verge of being scammed.

2. Phishing via email

Cybercriminals often rely on emails to trick users into disclosing sensitive information. Many people have given away their bank details, login details, and even social security numbers through these scams, and now NFT owners are being targeted.

So, if you ever receive an email from an alleged NFT artist, project developer, or company, be aware that it may be a scam. These emails may contain links to NFT repositories, giveaway sites, or the like, and will likely ask you for your seed phrase or private key.

Alternatively, these emails can take the form of a market notification, alerting an NFT owner that someone has bought or placed a bid on an NFT they are selling. Users will be prompted to click on the provided link and log into their Marketplace account. If they do, the scammer will then be able to access their account and the NFTs they sell there.

This happened in March 2022. Cybercriminals impersonated Opensea, a popular NFT marketplace, and emailed users to access their login credentials. A number of people have fallen victim to this scam and unfortunately hundreds of NFTs have been lost.

This is why it is important that you do not click on links provided by a purported marketplace in an email. If you have been notified that your NFT has been sold or an offer has been made, go directly to the market and log in. Then you can see if there really has been any activity associated with an asset you are selling.

3. Phishing through Instagram

Many NFT artists use Instagram to promote new work, discuss developments, and connect with their fans. But that has given way to impersonator accounts, through which unsuspecting victims are scammed via phishing scams.

Scammers often commit this type of scam by messaging users who follow the artist or project they are impersonating, or users who clearly have an interest in NFTs in general. They will notify the user that they have won a prize and then provide a link to the site where they can claim their prize.

Of course, there is no actual prize, and the link is only provided for users to provide the scammer with the information they need to gain access to an account or wallet they own. At this point, it is probably already too late for the victim.

But impersonation accounts are not where things stop in terms of Instagram NFT scams. More advanced criminals can hack into official accounts and target individuals from there. This layer of apparent authenticity gives scammers an even greater chance of tricking users.

4. Phishing via Twitter

Like Instagram, many NFT artists and projects are followed on Twitter by fans and enthusiasts interested in their work. And it just provides another way for cybercriminals to exploit users.

NFT phishing scams on Twitter work similarly to Instagram, with criminals targeting victims through impersonator accounts or hacking into official accounts and going from there. Scammers can also publicly post phishing links from fake or compromised official accounts to launch a wider next and attract even more victims.

Due to this risk, you should be careful whenever you come across any type of NFT gift link. Again, if ever you are asked for sensitive information to participate in a giveaway, be on your guard. There’s no reason your seed phrase, login password, or private key should be needed in a giveaway.

You can also use link checker websites to check if a link is legit or not before clicking on it.

The NFT landscape is full of scammers

With NFTs fetching incredible prices, it’s no surprise that cybercriminals are doing all they can to take advantage of this booming market. So, if you own any type of NFT, keep in mind that you should never disclose your sensitive information, as it can be used to quickly and irreversibly steal your valuable assets.


Worse than phishing: what is a whaling cyberattack?

Read more

About the Author

#phishing #NFT #theft

Leave a Comment