Fake NFT Ads: Hacked Sites Steal Crypto

The MalwareHunterTeam has reported that nearly 2,000 compromised WordPress sites are being used to display fraudulent pop-up ads offering NFT deals and cryptocurrency discounts. This campaign aims to deceitfully prompt visitors to connect their crypto wallets to crypto drainers, which then automatically pilfer the funds.

This attack is an evolution of a previous campaign in which hackers had already compromised around 1,000 sites, utilizing fraudulent advertising and YouTube videos to disseminate their malicious tools. It appears that the initial campaign did not achieve the anticipated success, leading the perpetrators to deploy new scripts that transform users’ browsers into tools for cracking other sites’ administrator passwords.

The campaign involved about 1,700 sites, including notable ones such as the website of the Association of Private Banks of Ecuador, intending to create a sufficiently large pool of sites for monetization in a broader campaign.

According to MalwareHunterTeam, the fraudsters began using the pool of sites to display pop-up windows with fake NFT offers and cryptocurrency discounts. The exact number of sites displaying these malicious pop-ups is unknown, but an Urlscan search indicates that over 2,000 compromised sites loaded malicious scripts in the last seven days.

The pop-up windows entice victims to connect their wallets to mint promising NFTs or to receive a discount on the site. Clicking on the connection button prompts scripts that offer to link wallets such as MetaMask, Safe Wallet, Coinbase, Ledger, and Trust Wallet. Moreover, the WalletConnect protocol is supported, broadening the range of potential targets.

Once a visitor connects their wallet to the site, the crypto drainer expropriates all funds and NFTs from the account, transferring them to the criminals. Notably, MetaMask issues a warning when visiting sites infected with such scripts.

Crypto drainers have become a significant concern for the crypto community, as well as hackers who breach well-known accounts and create deepfake videos advertising sites hosting malicious scripts.

To protect digital assets from crypto drainer operators and other cybercriminals, it is recommended to connect wallets only to verified platforms. Regardless of a site’s reputation, caution should be exercised when encountering unexpected pop-up windows, especially if they do not align with the site’s main theme or design.