|
Non-fungible token (NFT) scams can come in various forms, but one thing is sure: the threat actors behind them often use domain names, fake websites, and phishing emails. In line with such attack vectors, WhoisXML API researchers looked at the domain registration trends relevant to NFTs and enriched the findings with WHOIS and IP intelligence. Below is a summary of what we discovered.
Feel free to download the complete list of NFT-related domains, subdomains, and other data enrichment from our website. We dived into the details of our analysis and research below.
To see how NFTs have affected domain name registrations, we ran “nft” together with “mint” and other related text strings related to some of the most popular NFT tokens and platforms on Domains and Subdomains Discovery. These include “opensea,” “metamask,” “axie,” “nifty,” and “theta.” Below are the number of domains and subdomains.
Text String | Number of Domains | Number of Subdomains |
---|---|---|
“nft” + “mint” | 1,053 | 144 |
“opensea” | 2,080 | 1,197 |
“metamask” | 1,299 | 1,035 |
“axie” | 10,000+* | 10,000+* |
“nifty” | 10,000+* | 10,000+* |
“theta” | 10,000+* | 10,000+* |
Total | 34,432+* | 32,376+* |
We took a random sample of 3,000 domains from the total volume and ran a malware check, and . We detected 24 malicious domains, including:
A small percentage of the domains (7%) and subdomains (5%) were added within the past 30 days. We subjected the NRDs to a bulk screenshot analysis. We found several sites that contain what could either be legitimate NFT pages or scam pages using techniques such as fake giveaways, bogus websites, and limited offers. Some examples are shown below.
Domains like adidasnftminting[.]com and mintadidasnfts[.]com whose contents entice NFT enthusiasts with giveaways supposedly from Adidas made us curious as to how NFT usage has affected popular brands. The two Adidas-related domains could not be publicly attributed to Adidas, making them potential cybersquatting domains. What other brands were targeted?
Our investigation yielded 207 domains containing the text string “nft” and famous brand or trademark names, including PayPal, Adidas, JPMorgan, Apple, Coca-Cola, McDonald’s, Nike, Walmart, Google, and Rolex. The chart below shows the distribution of possible NFT-related cybersquatting domains.
While most of the domains had redacted WHOIS details, some didn’t. However, only one domain could be publicly attributed to the mentioned brand, specifically, nikeweightlinfting[.]com whose registrant email address points to a legitimate and unredacted Nike email address. This domain may not even be necessarily NFT-related, as it appears to be a typo-variant of “nikeweightlifting.” Still, this type of result is rare compared with domains like nftnikeclothes[.]com, nikeclothesnft[.]com, and nikenftgallery[.]com.
More than a dozen of the cybersquatting NFT domains have been flagged as malicious, including:
As NFTs and related assets become increasingly popular and valuable, NFT scams and related cybercrime would also become more rampant. Detecting domains and subdomains that could become vehicles for these crimes can help prevent NFT enthusiasts from becoming scam victims. Furthermore, more in-depth threat analysis that includes IP and DNS resolutions would enrich threat detection and prevention.
Are you a threat researcher or cybersecurity professional interested in the NFT-related data presented in this study? Please contact us to learn more about our cyberthreat intelligence sources and possible research collaboration.
Sponsored byDNIB.com
Sponsored byIPv4.Global
Sponsored byVerisign
Sponsored byCSC
Sponsored byVerisign
Sponsored byWhoisXML API
Sponsored byRadix