How an NFT Scam as a Service Drains Your Wallet


This video is a part of a deep dive into how scammers drain the NFT wallets of unsuspecting victims. In this case, we show a doodle mint scam website. From it, we identified a seller of a scam kit, who sold their code for $29.99 – $149.00. We set out to investigate their scheme and find out whether their scam as a service actually did what it was supposed to.

Read the full investigation here: https://cujo.com/nft-scam-as-a-service-a-scam/

The scam site makes the victims connect their wallets to the site. In Web2 terms, this would be a request to “register and login” to the site. In this case, the wallet address is your identity, and the secret key in your wallet is what authenticates you.

Warning: never connect your wallet to random websites.

Next, the website convinces the user to sign a message. By signing this message, the user “proves” to the website that the user has the correct secret keys to the specified wallet address. In reality, this step is not needed for the scam to work, but this is what legitimate Web3 sites do, and the scammer wants to seem legit. Also, it keeps away researchers from testing the scam site functionality, since a researcher has to have a valid NFT in the wallet before further steps (after the signing) can be tested on the scam page.

Now, the website uses the Opensea API (Opensea is the largest marketplace for NFTs) to check what type of NFTs the victim has in their wallet and the value of these NFTs.

If there are no valuable crypto-assets, the user is prompted with the error “you are not eligible.”

If the NFTs and other assets are worth stealing, the victim is convinced to “mint a new NFT”.

The victim is tricked into believing that accepting this transaction (and paying the transaction gas fees) will provide some precious NFT. But instead, the victim is actually signing a contract where the victim approves the transfer of the NFTs from his/her wallet to the scammer’s wallet.

Leave a Reply

Your email address will not be published.