Somehow, NFTs are even worse than we realized.
A report from cybersecurity firm Malwarebytes found that there’s been a marked increase in malware campaigns geared towards the NFT community, where enthusiasts seem to be the perfect marks, not only because they’re often technically naïve enthusiasts but also because they often have high value digital assets on their computers.
In other words, total cryptographic control over your assets sounds great in theory, but it leaves investors with little recourse. That’s become a bigger and bigger deal in recent years, with low-information investors, wowed by hype over Bored Apes and Dogecoin-funded Lamborghinis, putting their hard-earned savings into digital goods that, if stolen, they have no way of reclaiming.
And hackers are taking notice. Malwarebytes pointed to phony job offers, published by hackers masquerading as representatives of NFT collections.
In messages on DeviantArt and Pixiv, its Japanese equivalent, the firm found that artists were cold-contacted by users claiming to be from “Cyberpunk Ape Executives,” which does appear to be a real line of NFTs, albeit one that’s not nearly as popular or expensive as either of the verified lines it’s, well, aping.
“Hi! We appreciate your artwork!” read the messages users received, per Malwarebytes. “Cyberpunk Ape Executives is inviting 2D-artists (online / freelance) to collaborate in creating NFT project. As a 2D-artist you will create amazing and adorable NFT characters. Your characters will become an important part of our NFT universe!”
Along with the scam job ads, the messages also came with a link to a download page that directed users to download a file that featured three normal GIFs and one sneakily-hidden .EXE file that, per Malwarebytes’ analysis, steals information from unwitting users.
While these sorts of phishing attempts aren’t uncommon or particularly high tech, they are geared towards the less cybersecurity-inclined — and with NFTs and the other accoutrements of the blockchain-based Web3 protocols attracting more and more new users, the base for these kinds of malware attacks grows ever larger.
As users who fell victim to the scam noted, their accounts began spamming others with similar recruitment messages. Again, this style of malware attack is far from uncommon, but it’s interesting to see the scammers take up NFTs as an attack vector.
Although these attacks have so far only focused on individual users, the potential for attacks on businesses and organizations is high — especially if unwitting victims access the malware-riddled files on work computers.
As Malwarebytes puts it: “the Ape Executives have a job offer you can, and must, refuse.”
In other words: don’t open a random file full of random unsolicited NFTs if you can help it. And, for the love of god, set your operating system so you don’t accidentally run an executable thinking it’s an image file.
READ MORE: Fake Cyberpunk Ape Executives target artists with malware-laden job offer [Malwarebytes].
More on crypto scams: Woman Scammed for $8 Million in Crypto, Sues Exchanges