Possible Vehicles for NFT Scams?

Non-fungible token (NFT) scams can come in various forms, but one thing is sure: the threat actors behind them often use domain names, fake websites, and phishing emails. In line with such attack vectors, WhoisXML API researchers looked at the domain registration trends relevant to NFTs and enriched the findings with WHOIS and IP intelligence. Below is a summary of what we discovered.

  • More than 65,000 NFT-related domains and subdomains were registered over time as of 17 January 2022.
  • Of the more than 34,000 NFT-related domains registered, 7% were newly registered domains (NRDs) or added within the past 30 days.
  • Around 82% of the NRDs, including some malicious domains, actively resolved to 1,889 unique IP addresses.
  • More than 200 domains containing the string “NFT” could be cybersquatting on some of the most popular brands and trademarks, almost all of which cannot be publicly attributed to legitimate companies.

Feel free to download the complete list of NFT-related domains, subdomains, and other data enrichment from our website. We dived into the details of our analysis and research below.

65,000+ NFT-Related Domains and Subdomains

To see how NFTs have affected domain name registrations, we ran “nft” together with “mint” and other related text strings related to some of the most popular NFT tokens and platforms on Domains and Subdomains Discovery. These include “opensea,” “metamask,” “axie,” “nifty,” and “theta.” Below are the number of domains and subdomains.

* Domains and Subdomains Discovery returned the first 10,000 domains and subdomains, indicating that there could be more.
Text String Number of Domains Number of Subdomains
“nft” + “mint” 1,053 144
“opensea” 2,080 1,197
“metamask” 1,299 1,035
“axie” 10,000+* 10,000+*
“nifty” 10,000+* 10,000+*
“theta” 10,000+* 10,000+*
Total 34,432+* 32,376+*
Malicious Domain Alert

We took a random sample of 3,000 domains from the total volume and ran a malware check, and . We detected 24 malicious domains, including:

  • mintsphynxnft[.]com
  • cryptocatnftmint[.]art
  • openseagift[.]com
  • metamask[.]gs
  • metamask[.]kiwi
  • metamask-us[.]com
  • marketpjace-axieinfinlty[.]com
  • mintledgersnft[.]xyz
  • solnftmint[.]com
  • mint-castlekidnft[.]com
What Content Do the Domains Host?

A small percentage of the domains (7%) and subdomains (5%) were added within the past 30 days. We subjected the NRDs to a bulk screenshot analysis. We found several sites that contain what could either be legitimate NFT pages or scam pages using techniques such as fake giveaways, bogus websites, and limited offers. Some examples are shown below.

Cybersquatting NFT Domains Targeting Famous Brands

Domains like adidasnftminting[.]com and mintadidasnfts[.]com whose contents entice NFT enthusiasts with giveaways supposedly from Adidas made us curious as to how NFT usage has affected popular brands. The two Adidas-related domains could not be publicly attributed to Adidas, making them potential cybersquatting domains. What other brands were targeted?

Our investigation yielded 207 domains containing the text string “nft” and famous brand or trademark names, including PayPal, Adidas, JPMorgan, Apple, Coca-Cola, McDonald’s, Nike, Walmart, Google, and Rolex. The chart below shows the distribution of possible NFT-related cybersquatting domains.

While most of the domains had redacted WHOIS details, some didn’t. However, only one domain could be publicly attributed to the mentioned brand, specifically, nikeweightlinfting[.]com whose registrant email address points to a legitimate and unredacted Nike email address. This domain may not even be necessarily NFT-related, as it appears to be a typo-variant of “nikeweightlifting.” Still, this type of result is rare compared with domains like nftnikeclothes[.]com, nikeclothesnft[.]com, and nikenftgallery[.]com.

More than a dozen of the cybersquatting NFT domains have been flagged as malicious, including:

  • nftapples[.]com
  • apples-nft[.]com
  • applemusicnft[.]com
  • cocacola-nft[.]com

As NFTs and related assets become increasingly popular and valuable, NFT scams and related cybercrime would also become more rampant. Detecting domains and subdomains that could become vehicles for these crimes can help prevent NFT enthusiasts from becoming scam victims. Furthermore, more in-depth threat analysis that includes IP and DNS resolutions would enrich threat detection and prevention.

Are you a threat researcher or cybersecurity professional interested in the NFT-related data presented in this study? Please contact us to learn more about our cyberthreat intelligence sources and possible research collaboration.



Menu