Over the past two weeks, unidentified hackers have been distributing fake NFTs to Solana cryptocurrency users as a new security update of the Phantom wallet. However, instead of updates, it’s a malware designed to steal users’ cryptocurrencies.
The hackers claim to be from the Phantom group and use NFTs called PHANTOMUPDATE.COM or UPDATEPHANTOM.COM.
After opening the NFT, users are notified that a new security update has been released for the Phantom wallet and can be downloaded using the attached link or the website provided.
To add urgency, the message warns users that failure to download this security update “may result in loss of funds due to hackers exploiting the Solana network.”
This element of urgency could be related to the Solana-based wallet hack, which recorded about $8 million stolen from 8,000 wallets in August, including those of Phantom wallet users. The security exploit was then linked to vulnerabilities in the Solana-based Web3 wallet service Slope.
If the victim follows the fake Phantom update instructions, the malware is downloaded from GitHub. The software attempts to steal browser information, history, cookies, passwords, SSH keys, and other information from users.
Users who may accidentally fall victim to this scam should take security precautions such as scanning their computers with antivirus software, securing crypto assets, and changing passwords on sensitive platforms such as bank accounts and cryptocurrency trading platforms.
In the past, similar malware spread campaigns have used malware called Mars Stealer to steal cryptocurrency from unwary users.
Oski in 2019, Mars Stealer targeted more than 40 browser-based cryptocurrency wallets, along with popular extensions such as two-factor authentication (2FA), with the function of stealing users’ private keys.
