Overview
Scam Sniffer has received multiple reports of theft related to NFT airdrops on Polygon. Victims received airdropped NFTs and believed in their contents, but ended up having their assets stolen after opening malicious links and signing malicious signatures during the claiming process.
The group responsible for these thefts has created 1,354 malicious NFTs on Polygon in recent months, impersonating legitimate airdrops from projects like RocketPool, ApeCoin, Polygon, Uniswap, and AAve. All malicious links in these airdrops lead to websites associated with Inferno Drainer, One of the “Scam As a Service” providers that steals $13M in the last few months.
A total of 530,000 wallets were targeted by these malicious NFTs, and 329 victims were associated with the targeted airdrops. In total, $1.25 million was stolen from these victims.
Dune Report: https://dune.com/scamsniffer/nft-phishing-polygon
Malicious NFT airdrops
Attackers transferred ApeCoin Airdrop malicious NFTs to their targets through batchtransfer.
The target opened their Portfolio Tracker or wallet and found and clicked on the malicious NFT.
As shown in the figure, they used beacons.ai for dynamic link redirection. The victim clicked on the malicious link in the description and signed the malicious signature in the malicious website, resulting in asset theft.
Large-scale malicious NFT airdrops
By analyzing the addresses associated with the airdropped NFTs received by the victims, we found many NFTs with similar patterns, including those that impersonated the airdrops of projects such as Rocketpool, Apecoin, Arbitrum, Uniswap, Ethereum, AAVE, ChainLink, etc.
Through analyzing on-chain data, we found that they created 1,354 malicious NFTs, targeted at 530,000 wallets, and a total of 1.25 million airdrops were made.
All of these malicious links lead to malicious websites associated with Infeno Drainer.
| NFT | Malicious Link | Name |
|---|---|---|
| 0x7432d7bcd16832e5e4d25943665bcafd67f717c9 | https://beacons.ai/rocketpoolreward | Rocketpool Airdrop |
| 0x3fa33da7c74c4b8d6311db1e598f56536c648a23 | https://beacons.ai/apereward | Apecoin Airdrop |
| 0xcd2d346b41aae8a8edf99af9379a180647c38cab | https://tinyurl.com/maticreward | Polygon Airdrop |
| 0x88b8dcc4a738dc16f6e0406874f5af8f1cd0591b | https://beacons.ai/cakereward | Pancakeswap Airdrop |
| 0x5b8b1a0735f1613ddc6e32d1c36bcbc3de206a5f | https://beacons.ai/pepeswap | Pepe Airdrop |
| 0xef69c4d15413bf55369619d54237e679b5ec37bf | https://beacons.ai/arbreward | Arbitrum Airdrop |
| 0x52776fc07a2c17719fef65d5eee70e53165e63d2 | https://beacons.ai/fantomreward | Fantom Airdrop |
| 0x566f821edd30d33992563459afc136a7b9d42c37 | https://beacons.ai/filecoin | Filecoin Airdrop |
| 0xffe28ec180700d9bc28299509eb7f02ca2f33620 | https://beacons.ai/linkreward | ChainLink Airdrop |
| 0x2925752fe873c4803c21d800c79e3ea33ba6049a | https://beacons.ai/xrpreward | XRP Airdrop |
| 0xb953f160c7844b381594c75669fa8aaad67b0198 | https://beacons.ai/uniswapreward | Uniswap Airdrop |
| 0xb35ef719cb719895c94448c2672f63a3d2eb3b3f | https://linktr.ee/shibswap | THE SHIBOSHIS |
| 0xc6efa083a4498960213567921bec3ab32c9dadf0 | https://beacons.ai/cardanoreward | Cardano Airdrop |
| 0x404686811ffbf5014548c07b8a43d862dc950dc9 | https://beacons.ai/ethreward | Ethereum Airdrop |
| 0xd608b49a90625d7749f35ed7e2ef8a4f94124768 | https://nftdecentralandmana.com | DecentralandMANA Airdrop |
| 0x5f01ca4266fa981befd6cd0f482f904127ab5d89 | https://tinyurl.com/quantreward | Quant Airdrop |
| 0x5acb7792ab3e682ba1486c526d9bc808564f1aa3 | https://tinyurl.com/aavereward | Aave Airdrop |
| 0x402ff36a068630e7318ec13f1b545c30bb976734 | https://beacons.ai/sandreward | Sandbox Airdrop |
Targeted victims
| Target | Net worth |
|---|---|
| 0x28c6c06298d514db089934071355e5743bf21d60 | $1,285,238,035 |
| 0x5bdf85216ec1e38d6458c870992a69e38e03f7ef | $285,815,676 |
| 0x21a31ee1afc51d94c2efccaa2092ad1028285549 | $261,049,467 |
| 0x6cc8dcbca746a6e4fdefb98e1d0df903b107fd21 | $15,159,462 |
| 0x50be13b54f3eebbe415d20250598d81280e56772 | $5,621,551 |
| 0x2c2320181c2226370c017deaf8976786dd0c8329 | $4,517,400 |
| 0xda43c54ce5083885f561e05fd6220b7096be246c | $4,594,795 |
| 0x1c727a55ea3c11b0ab7d3a361fe0f3c47ce6de5d | $3,812,830 |
| 0x1467bab3230e5dc57bc8c92e69978994ce5b8eab | $1,425,117 |
| 0x766182bfa8b8790d61c4d7e7912c1c3a6f42cef6 | $3,151,386 |
| 0x4a183b7ed67b9e14b3f45abfb2cf44ed22c29e54 | $490,207 |
We sampled some of the targeted airdrop addresses, most of which contained large amounts of assets.
Stolen Stats
By analyzing the 530,000 addresses targeted by these malicious NFTs and the victims of Infeno Drainer, we found that 329 victims were associated with the targeted airdrops, and a total of $1.25 million was stolen from these victims.
The largest victim, 0x9e1b8f42c28c793f67d44968529e338606ba7e66, lost about $150k.
Dune Report: https://dune.com/scamsniffer/nft-phishing-polygon
Victims
0x9e1b8f42c28c793f67d44968529e338606ba7e66, the largest victim, was recently phished for 79ETH through a Claim scam.
The victim received a malicious NFT from the ApeCoin Airdrop 24 days ago.
Gas Spend
By analyzing on-chain data, we found that the total gas cost for airdropping to these 500k addresses was only $15k, which was very low.
Excluding the 20-30% commission charged by using Inferno Drainer, we can estimate that they spent $15k to steal $875k in assets.
Among these targeted 500k addresses, new victims will continue to emerge in the future.
About Scam Sniffer
Scam Sniffer is an anti-scam platform that combined off-chain and on-chain monitoring data to provide real-time anti-scam protection for web3 users.
We’ve helped well-known platforms protect their users and are committed to making web3 secure for the next billion users.