In an update earlier today, global tech conglomerate Meta shared news of its latest moves surrounding digital collectibles. From September 29th, subsidiaries Facebook and Instagram will now allow users to link their virtual wallets with their accounts and also share non-fungible tokens. Users Across 100 Countries Can Access New Meta Feature Everyone on @instagram and @facebook can now share their digital collectibles in the US, and on Instagram in the previously announced 100+ countries,” Meta announced in a tweet. https://twitter.com/MetaNewsroom/status/1575486040349245446?s=20&t=TpIDHfYcRCtVRMNrwYhWiA…
Scammers posing as Azuki creators are taking over verified Twitter handles to promote a fake NFT airdrop. Twitter accounts affected include those belonging to several journalists and media professionals.
After hijacking an account, the scammer edits the profile text and images, disguising the handle as one belonging to a co-creator of Azuki. Afterward, the scammer proceeds to make a tweet promising a “secret airdrop” of Beanz, a collection of 20,000 NFTs that airdropped for free to Azuki holders on March 31st. A link is then provided in the tweet for a collector to “claim a bean”. Lastly, the scammer creates a thread tagging different accounts to the tweet.
Unsuspecting collectors who clicked the link and connected their Ethereum wallets had their NFTs stolen, without receiving any airdrop.
How Verified Twitter Accounts Got Compromised
Scammers used a phishing link to gain access to these verified accounts. One journalist revealed that they received a phishing email from an email address pretending to be Twitter Support. The address, [email protected], “notified” the journalist of a login attempt into their Twitter account.
I woke up to this email and in a half-awake daze actually fell for it,” the journalist tweeted, recounting the ordeal.
Another journalist revealed that the scammers had used their compromised account to send and tag potential victims to over 6,000 tweets.
Is the Verification Badge Fast-Becoming a Tool For Crypto Scams?
The Azuki NFT heist is not the first time cybercriminals are using verified Twitter handles to perpetrate scams. A similar event happened recently with an ApeCoin-themed fraud.
In March, scammers hijacked several verified Twitter handles and claimed to be founders of Yuga Labs, the team behind the Bored Ape Yacht Club NFT project. The scammers then went ahead to promise an airdrop of ApeCoin tokens to users. But just like with the Azuki scam, ApeCoin creators had already airdropped tokens for free to Bored Ape holders.
Rip another Ape owner phished who has lost $500k worth of NFTs (BAYC, MAYC, & more)
Stop connecting your wallet & approving transactions on sketchy sites
— zachxbt (@zachxbt) March 25, 2022
Users who interacted with the link and connected their wallets had their NFTs stolen, including Bored Ape and Mutant Ape Yacht Club collectibles. Over $1 million worth of NFTs disappeared amidst the fraudulent scheme. Oddly, some victims claimed they have not connected their wallets to the website, yet had their NFTs stolen.
Like other social media verification badges, Twitter verification is proof of authenticity and authority. Therefore, it is easy to lure unsuspecting victims into scams through verified handles. Twitter says it is aware of this disturbing development and is actively working towards a solution.
It is important to note that Twitter is not assigning verification badges to unscrupulous Twitter users. Also, the original creators of the Bored Ape project and Azuki did not perpetrate these scams. Rather, Twitter, Azuki, Bored Ape, and the several victims of these scams are all prey to a common predator: cybercriminals.