NFT creators tricked into installing malware in highly targeted attack

Multiple digital artists and creators of non-fungible tokens (NFT) were at the center of a highly targeted malware campaign last week during which a threat actor tried to swipe their hard-earned profits.

The attacks, which began last week and continued through the weekend, were widely reported on Twitter after several victims caught on to the scheme or noticed the theft of cryptocurrency assets from their private wallets.

According to public reports, the threat actor used multiple identities to approach Twitter users advertising themselves as NFT creators with business deals and trick them into downloading and running a malware-laced file.

The malicious file distributed during this campaign was usually disguised as a Windows screensaver (.SCR) file.

In a report published on Tuesday, security researcher Bart Blaze analyzed a copy of one of these SCR files. Blaze said the files were configured to temporarily install a copy of the Redline malware on victims' computers.

The researcher, who shared his findings with The Record yesterday, said the malware was left without a persistence mechanism in place, meaning that it would be deleted after the first computer reboot.

Despite the malware removing itself after a first reboot, Blaze said that Redline also worked very fast and generally needed only minutes to collect and steal all of a user's personal data.

Per Blaze and per previous analysis, Redline can collect both browser credentials and cryptocurrency wallet configuration files, including browser-based wallet extensions.

Some users lost large quantities of cryptocurrency funds

Public reporting suggests that the threat actor appears to have exclusively targeted individuals who advertised themselves on Twitter as NFT creators.

NFT, which stands for non-fungible tokens, is a new blockchain-based token system that allows artists to link creations to blockchain ledgers and then sell their art (photos, videos, audio, documents, etc.) by selling an NFT token associated with that ledger entry.

NFT sales saw more than $2 billion in sales in the first quarter of 2021, and despite a recent slowdown in transactions and crackdowns from some national governments, the technology is believed to have a future and is still in high demand.

With NFT sales generating such impressive numbers, the attacker appears to have tried to get a piece of the profits made by NFT creators.

Per public reports and interviews conducted by The Record, some attacks were successful.

For example, the attacker managed to swipe more than 40,000 AXS tokens, worth around $176,000, from one single victim they infected. Others lost smaller amounts, but a loss is still a loss.

Nicole Ruggiero, a 3D artist and director, told The Record in an interview on Tuesday that she also lost "a bit of ETH" before she spotted the theft and moved to lock down accounts.

Jong Chan Han, a photographer based in South Korea, is one of the happy cases. In an interview, the artist told The Record that while they were targeted, they managed to spot the scam before they installed the malicious file.

Jong said several issues with the threat actor's public profile rang alarm bells, such as the low follower count, the lack of a professional LinkedIn or Linktree profile, the attacker's desire to pay in ETH (Ether coins) with no paperwork, and the request to install a custom app.

"That's all the red flags I caught before proceeding to next step," Jong told us. "Easy job, ridiculously high reward."

Blaze and Manifold, a company that creates blockchain products for NFT users, have both shared advice on how to secure accounts before and after such attacks.

The recent attack on NFT creators comes after similar attacks were reported earlier this year, with several cybercrime groups trying to orchestrate intrusions into accounts at Nifty Gateway, a digital art marketplace for NFT assets.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Catalin Cimpanu

Catalin Cimpanu

is a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.