How Smart Contracts Steal Cryptocurrency Wallets

The FBI is warning potential buyers of non-fungible tokens (NFTs) about the threat of fraudulent websites that use so-called “drainer smart contracts” to secretly steal cryptocurrency wallets.

Drainer smart contracts are pieces of code that contain errors or vulnerabilities, allowing scammers to transfer digital assets—such as NFTs and cryptocurrencies—to their own wallets without the owner’s knowledge.

Websites posing as legitimate NFT trading platforms are aggressively promoted through compromised accounts of well-known NFT developers or accounts created to imitate real ones. Posts from these accounts often create a sense of urgency, using phrases like “limited quantity” or calling the offer a “surprise.”

“Fake sites prompt visitors to connect their cryptocurrency wallets and purchase NFTs. In doing so, users unknowingly connect their wallets to a drainer contract, which ultimately results in their cryptocurrency and NFTs being transferred to wallets controlled by criminals,” the FBI warns.

After a successful theft, scammers often “launder” the stolen assets through a series of cryptocurrency exchanges or specialized mixing services, blending them with assets from other users to make it harder to trace the true destination of the stolen NFTs.

FBI experts urge potential NFT buyers to stay vigilant and take the following precautions:

• Research any unexpected NFT offers thoroughly.
• Verify the authenticity of social media accounts promoting NFT sales.
• Carefully analyze websites that ask you to connect your cryptocurrency wallet.
• Be especially cautious with offers that promise NFTs as rewards.

Victims of such scams, or anyone who suspects fraudulent activity, are encouraged to report it to the FBI’s Internet Crime Complaint Center.