The Federal Bureau of Investigation is issuing this announcement to inform individuals about cyber criminals defrauding cryptocurrency users through the non-fungible token airdrop feature embedded in non-custodial wallets, which is disguised as free rewards or incentives for Hedera Hashgraph network users.
The Hedera Hashgraph is the distributed ledger used by the Hedera network. The airdrop feature was originally created by the Hedera Hashgraph network for marketing purposes; however, cybercriminals can exploit this tactic to collect victim data and steal cryptocurrency.
For a user to receive a token in their wallet as part of the airdrop process, the user must either hold the specific token offered, be a part of the community, or simply own a non-custodial wallet.
Once the transaction is completed, and the user receives unsolicited or promotional cryptocurrency tokens and rewards in their non-custodial wallet as part of the airdrop process, a plaintext “memo” section appears that may be used to provide additional context about the transaction, including a reference number.
Within these memos, users are required to click the embedded uniform resource locator (URL) to accept the tokens or rewards.
The memo is independent of the wallet a user may use to manage their cryptocurrency; however, cybercriminals are compromising this memo feature by including a URL to a third-party website. This URL links the user’s cryptocurrency wallet to the website’s decentralised applications function, allowing them to earn additional cryptocurrency.
This connection often requires the user to input their login and security information, including seed phrases, to complete the process. The information entered by the user allows cybercriminals to steal the user’s cryptocurrency from their wallet.
Tips on how to protect yourself
- If you did not sign up to participate in a marketing or rewards program with the provider and you receive an offer for free tokens, verify the offer is from the cryptocurrency provider before accepting and/or providing any information.
-
Do not respond to requests to provide personally identifiable information, such as passwords, seed phrases, or one-time passwords, sent to your accounts if you did not initiate the outreach. Initiate a new call to the company using the verified customer service number if a “representative” reaches out to you via phone or email soliciting personal information.
-
Do not click links or use numbers provided in suspicious emails for confirmation communication is legitimate. Use verified customer service numbers provided by the company on official communications.
- Monitor cryptocurrency accounts for suspicious login attempts, unauthorised changes to the account, unrecognised transactions, or compromised credentials.
