The FBI has issued a public service announcement warning Hedera Hashgraph non-custodial wallet users of a growing scam involving fraudulent non-fungible token (NFT) airdrops that aim to steal cryptocurrency through deceptive reward offers.
According to the FBI's Internet Crime Complaint Center (IC3), cybercriminals are exploiting the NFT airdrop feature built into non-custodial cryptocurrency wallets to trick users into compromising their wallet credentials. The scam primarily targets users on the Hedera Hashgraph network, a distributed ledger platform known for its energy efficiency and enterprise-focused applications.
The technique was first flagged by the FBI's cybercrime analysts, who observed an increase in fraud reports tied to unsolicited token distributions. These airdrops typically deliver free NFTs or tokens to unsuspecting users under the guise of promotional rewards. Embedded within the transactions is a plaintext “memo” field, which includes a URL directing users to a malicious website. When users follow the link, they are prompted to connect their wallets or enter sensitive credentials such as passwords or seed phrases. This grants attackers full access to the user's wallet and allows them to drain it of funds.
The Hedera Hashgraph network supports decentralized applications and digital asset exchanges. Users commonly access the network via non-custodial wallets like HashPack, where they retain full control of their private keys. The airdrop feature in these wallets, originally designed for community engagement and token marketing, has now become a security liability when exploited by malicious actors.
In some cases, the fraudulent URLs are not only embedded in wallet memos but also spread via phishing emails, third-party websites, or social media channels advertising free airdrops. These campaigns mimic legitimate NFT projects to gain user trust, often using language and branding associated with known Web3 platforms. Once the user engages with the phishing site, the attacker either prompts them to link their wallet or extracts login credentials directly.
The FBI recommends that users never click unsolicited links or share wallet seed phrases, even if the message appears to come from a known project. Also, do not interact with airdrop tokens or offers unless you have explicitly signed up for the promotion through a trusted source. Finally, users should monitor wallet activity regularly for unauthorized transactions or suspicious logins.
Leave a Reply