Demystifying NFT Promotion and Phishing Scams

The popularity and hype around purchasing digital assets such as art, video, and music in the form of Non-fungible tokens (NFTs) has rapidly made them a lucrative investment opportunity, with NFT-based sales surpassing $25B in 2021 alone. However, the volatility and scarcity of NFTs, combined with the general lack of familiarity with the technical aspects of this ecosystem, encourage the spread of several scams. The success of an NFT is majorly impacted by its online virality. There have been sparse reports about scammers emulating this virality by either promoting their fraudulent NFT projects on social media or imitating other popular NFT projects. This paper presents a longitudinal analysis of 439 unique Twitter accounts that consistently promote fraudulent NFT collections through giveaway competitions and 1,028 NFT phishing attacks. Our findings indicate that most accounts interacting with these promotions are bots, which can rapidly increase the popularity of the fraudulent NFT collections by inflating their likes, followers, and retweet counts. This leads to significant engagement from real users, who then proceed to invest in the scams. On the other hand, we identify two novel attack vectors which are utilized by NFT phishing scams to steal funds and digital assets from the victim's wallet. We also identify several gaps in the prevalent anti-phishing ecosystem by evaluating the performance of popular anti-phishing blocklists and security tools against NFT phishing attacks. We utilize our findings to develop a machine learning classifier that can automatically detect NFT phishing scams at scale.