Hackers target Solana NFT collectors with fake NFT airdrops

In the last two weeks, hackers have been airdropping NFTs to Solana users under the guise of a new Phantom wallet security update. However, the NFTs is malware designed to steal their assets.

The hackers, who claim to be Phantom team members, use NFTS titled PHANTOMUPDATE.COM or UPDATEPHANTOM.COM. On opening the NFT, users are informed that a new security update has been issued for the Phantom wallet and can be downloaded via an enclosed link or a listed website. When visiting these sites from any device, the site automatically downloads a Windows batch file named Phantom_Update_2022-10-08.bat [VirusTotal] from DropBox.

The perpetrators instilled a sense of emergency upon the users, claiming that failing to download the fake security update may result in a loss of funds due to hackers exploiting the Solana network.

"Phantom requires all users to update their wallets. This must be done as soon as possible," reads the warning in the fake Phantom update NFT.

“Failing to do so, may result in loss of funds due to hackers exploiting the Solana network. Visit www.updatePhantom.com to get the latest security update."

The threat seemed a bit convincing because of the Solana-based wallet hack that happened in August, which saw about $8 million stolen from 8,000 wallets. The security exploit which was later linked to vulnerabilities within the Web3 wallet service Slope also affected Phantom wallet users.

If any user falls for the fake update scam, malware downloaded from GitHub will attempt to steal browser information, history, cookies, passwords, SSH keys, and other information from the person. These users are advised to take security precautions by scanning their computers with antivirus software, securing crypto assets, and changing passwords on sensitive financial and crypto platforms.

Before now, other malware-spreading cyberpunks employed the Mars Stealer malware to steal crypto from unsuspecting users. The Mars Stealer, which is an upgrade to the information-stealing Oski Trojan of 2019, targets more than 40 browser-based crypto wallets, along with popular two-factor authentication (2FA) extensions, with a grabber function that steals users’ private keys.