Anatomy of an NFT Phishing Scam

TRM InsightsTRM Investigations
Anatomy of an NFT Phishing Scam

As NFTs continue to rise in popularity, TRM has tracked the emergence of a variety of related scams: rug pulls, fake NFT minting sites, customer support impersonation, bidding scams, fake offers, and counterfeit NFTs.

This post details a particularly insidious type of scam on the rise — the bait-and-switch contract. This form of phishing prompts users to sign a contract, usually under the pretense of a legitimate transfer of ownership, which then grants control of the user’s entire wallet to the attacker.

TRM investigators have peeled apart one recent phishing scam and are working with law enforcement to identify the perpetrators. In the course of our investigation, we identified several distinctive characteristics that should serve as red flags, both for retail users who are attempting to trade NFTs safely and for institutions and crypto platforms as they look to surface and investigate suspicious transfers.

In a nutshell, here's what happened (click images to expand):

Image: TRM graph visualizing attacker flows

Let’s look at how this NFT phishing scam played out, step by step:

1. The attacker sets up their wallet. They seed, or initialize, the attack wallet with a deposit, often through a mixer, such as Often, we’ll see an initial deposit to the attack wallet made by the attacker themselves. Sometimes this is to test the wallet, test the contract, or, depending on the asset, to initialize the wallet. For example, a TRON wallet requires a balance of TRX before it will function. Tether can be be sent to a wallet address without it, but it won’t show up in the balance and can’t be spent until the owner puts some TRX in the wallet first.

Image: TRM graph visualizing attacker's first transaction

2. The attacker creates a contract. The bait-and-switch contract includes code functions such as “atomicMatch_” and “setApprovalForAll” which may allow an attacker to transfer all of the victims tokens from their wallet.

3. The attacker deploys a contract. To make sure it works, they test their own contract by calling it — in this case by signing a transaction from the attack wallet. This contract may take different forms. In the most straightforward thefts, the contract prompts victims to approve the private sale (transfer) of an NFT to the attacker’s wallet; price: 0 ETH.

Image (Left): an example of a contract approving access to tokens shortly before they are transferred; Image (Right): MetaMask prompts will appear when a dApp asks you to connect your wallet or sign a contract.

4. The attacker phishes the victim. The actual phishing can take different forms. Emails, DMs in messaging apps, pop-ups on Discord, Telegram, and other fora, in-wallet ads through MetaMask, fake sites with wallet connections, impersonations of support staff on NFT markets. In the end, the victim is always asked to either provide private keys or sign approval contracts. These attacks are successful because buyers and sellers are under pressure to act fast to collect valuable NFTs. In this case, the attacker prompted the victim to initiate a peer-to-peer trade by signing... you guessed it — a bait-and-switch contract.

Image: TRM graph of victim and attacker accounts

5. The attacker steals the NFT. The victim may lose more. Some phishing contracts authorize the attacker to transfer not just the NFT but all of the victim’s assets. This looks obvious on the blockchain. The attacker transfers the NFT, but does not pay the victim.

6. The attacker flips the NFT on a legitimate market. Fungible assets (like ETH) can be laundered and cashed out for fiat; NFTs cannot. So, in most cases, the attacker has to convert the stolen property to something they can use.

Image: TRM graph of stolen NFT sale on open the market

7. The attacker gets paid in ETH (in this example). A buyer on the market purchases the NFT in exchange for ETH — unaware the NFT was transferred for nothing from the victim’s wallet shortly before being sold.

8. The attacker launders their illicit proceeds. After getting paid in ETH, the attacker shifts the proceeds to wallets used for money laundering. These wallets will often have several deposits of ETH from NFT markets and one or two big withdrawals of consolidated funds.

9. The attacker cashes out. Cashing out follows the usual routes — often a blend of mixers, high-risk exchanges, p2p platforms, transaction- and chain-hopping, and conversion to stablecoins.

Image: transaction hopping in the hopes of circumventing screening by institutions
Image: laundering proceeds through a mixing service

What can you do to avoid being phished?

Contracts are complicated. Human behavior is not. Many users do not analyze the details of a contract before they sign a transaction, particularly in an auction or market environment where speed vs. slowness may mean the difference between winning a bid, or losing out on a potentially valuable NFT.

However the phishing scam starts, whether a DM, email, pop-up, or ad — it ends with the victim signing a contract granting the attacker access to their wallet.

As you race to collect apes, punks, blocks, doodles, fish, cats, and land, here are some suggestions for how to protect yourself and your virtual assets:

  • Look for red flags like unfamiliar or unexpected contract calls. Never sign a transaction you do not 100% trust. Simply signing a transaction may give a thief access to all your NFTs and cryptocurrency.
  • Never click on a link, button, or attachment when a contract appears to “fail” or “encounter problems.” Never click on links in emails unless you verify them through a side channel or find the same information through a parallel web search.
  • Use a separate wallet for just your NFTs; or set up a “burner” wallet to test interactions with contracts you are not sure are safe.
  • View the history of an NFT before buying; you could be purchasing stolen goods.
  • When buying, dig into the counterparty. When you look into their transactions, you may see they have repeated the same pattern of acquiring an NFT ‘for free’ and flipping it for sale on the open market.
  • Check the price: if it is much lower than the prices on legitimate markets, it is probably a scam.
  • Check the address and verify where the NFT was minted.
  • Drop the seller’s address into a Twitter or blog search and see if it catches fire.
  • Check your current token approvals on Etherscan here. Revoke those you no longer need.
  • Check which sites are connected to your MetaMask wallet by clicking on the 3-dots button. Delete those you no longer use (see images below).
  • Beware of fake offers, giveaways, air drops, technical support, and minting sites.
  • Turn off your Discord DMs. Ping phishing is all the rage.
  • And, as always, never give your private keys or seed phrases to anyone, ever, for any reason.
Image: Checking for connected sites in MetaMask

How can the crypto economy combat these exploits on a larger scale?

TRM’s Global Investigations team actively tracks and investigates cryptocrime threats, threat actors and events such as the exploit detailed above. Attacker wallets and other wallets linked to scams are attributed in TRM tools, meaning that users of TRM’s transaction monitoring and forensics tools will be automatically notified of any exposure to possible scammers.

This enables enterprise users of TRM tools — which include crypto exchanges, NFT marketplaces, custody providers, and financial institutions with exposure to crypto and NFT trading, and others — to identify addresses and assets linked to NFT fraud as they come into contact with their platforms. With these same tools, regulators and law enforcement investigators can more effectively identify attackers’ wallets and victim accounts, trace stolen NFTs, and track down the proceeds of sales of stolen NFTs.

In previous posts, TRM Insights has looked at Non-Fungible Tokens (NFTs) from different angles. Interested in the regulatory landscape, rug pulls, or security considerations for NFT drops? Check out the linked articles. Want to learn more about the risks and opportunities presented by NFTs? Click over to the episode on TRM Talks. Finally, learn more about assessing NFT risk with TRM Labs.

About the Author:

Chris Hoffmeister is a Blockchain Investigator at TRM Labs, where he works with institutions, regulators, and law enforcement partners to detect, investigate, and prevent scams, fraud, money laundering, and other cryptocurrency-enabled financial crime. Prior to joining TRM, Chris worked as a criminal analyst at Homeland Security Investigations, where he developed and oversaw the agency’s cryptocurrency intelligence program and supported multi-jurisdictional and cross-border criminal investigations. He has held several cryptocurrency and financial crimes certifications and received his Master of Arts in Security Studies from Georgetown University.

About TRM Labs

TRM provides blockchain intelligence to help financial institutions, cryptocurrency businesses, and public agencies detect, investigate, and manage crypto-related fraud and financial crime. TRM's risk management platform includes solutions for transaction monitoring and wallet screening, entity risk scoring - including VASP due diligence - and source and destination of funds tracing. These tools enable a rapidly growing cohort of organizations around the world to safely embrace cryptocurrency-related transactions, products, and partnerships.

TRM is based in San Francisco, CA, and is hiring across engineering, product, sales, and data science. To learn more, visit

To report a lead to Global Investigations, email us at

Want more content like this?

This is some text inside of a div block.
Subscribe and stay up to date with our insights

Access our coverage of TRON, Solana and 23 other blockchains

Fill out the form to speak with our team about investigative professional services.

Services of interest
Transaction Monitoring/Wallet Screening
Training Services
Training Services
By clicking the button below, you agree to the TRM Labs Privacy Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.