The FBI is warning about a new scam where cybercriminals exploit NFT airdrops on the Hedera Hashgraph network to steal crypto from cryptocurrency wallets.
Airdrops are a method of distributing cryptocurrency tokens for free to wallet addresses, usually as part of a marketing, community growth, or reward campaign, but they are also used as bait for scams.
“The Hedera Hashgraph is the distributed ledger used by Hedera. The airdrop feature was originally created by the Hedera Hashgraph network for marketing purposes; however, cyber criminals can exploit this tactic to collect victim data to steal cryptocurrency,” explains the FBI advisory.
In the attacks targeting wallets on the Hedera Hashgraph network, the threat actors send unsolicited NFTs or tokens to users’ wallets with memos prompting users to click on a URL to claim their reward.
Clicking the link takes victims to phishing sites or dApps that ask them to input sensitive information like account passwords and wallet recovery seed phrases.
The attackers can then use this sensitive information to hijack the victim’s wallets and empty them.
Hedera Hashgraph is a distributed ledger technology (DLT) and public network, similar to Ethereum and Bitcoin, but built on a fundamentally different structure called a hashgraph rather than a blockchain.
Unlike blockchains that store data in sequential blocks, hashgraph uses a gossip protocol and virtual voting to achieve consensus, allowing for faster, more scalable, and more energy-efficient operations.
This technology was introduced in 2018 as a next-generation distributed ledger aiming to overcome the limitations of conventional blockchains, and scammers have started to target it more as its popularity and adoption rise.
FBI says that fraudsters currently promote their fraud campaigns beyond the unsolicited NFT airdrops, including phishing emails, social media advertisements, and fake websites.
Protection advice
When receiving airdrop alerts, it is advisable to always verify their legitimacy with the official source before engaging.
Verify using the official customer service number/email address, and never the ones listed on emails, as those could direct the communication to the scammers.
During the NFT claiming or minting process, it is crucial never to share passwords, seed phrases, or one-time passwords (OTPs), unless you initiated contact.
Finally, cryptocurrency accounts should be regularly monitored for signs of unauthorized activity/transactions and suspicious login attempts.
If you suspect you have been compromised by scammers, it is advisable to contact your account providers and report it as soon as possible.
Then, report the incident to the FBI’s Internet Crime Complaint Center (IC3) with details such as cryptocurrency addresses and transaction information (ID, date, amount).
Manual patching is outdated. It’s slow, error-prone, and tough to scale.
Join Kandji + Tines on June 4 to see why old methods fall short. See real-world examples of how modern teams use automation to patch faster, cut risk, stay compliant, and skip the complex scripts.
