Keypoints
- Campaign distributed fake NFT airdrops to more than 200,000 addresses, targeting holders across 100+ popular token projects.
- Attackers spoof the “From” field on blockchain explorers by emitting logs (via Solidity emit) that reference reputable deployer addresses (e.g., Yuga Labs, Immutable X).
- Each airdrop includes an NFT metadata link to a dedicated phishing website that prompts victims to connect wallets and sign malicious transactions.
- Fraudulent airdrops are executed by proxy contracts delegating to unverified implementation contracts, obscuring the real logic and intent.
- Decompilation revealed a TransferSingle event and an _airdrop parameter stored in STORAGE[0x03], which pointed to the real deployer address while logs misled users.
- Analysts read on-chain storage via a Python script to verify that the _airdrop storage value contained the genuine deployer address, confirming log-based spoofing.
- The attacker workflow: spoofed airdrop -> NFT with claim link -> phishing claim site -> wallet connection and malicious approval -> funds drained.
MITRE Techniques
- No MITRE ATT&CK techniques were explicitly mentioned in the article.
Indicators of Compromise
- [Transaction / Etherscan] example airdrop TXs – https://etherscan.io/tx/0xbd014bce91d1d2242b7d8e7217b5723e34b925aa9bd5d658de97a848097e9f3e, https://etherscan.io/tx/0x3c6f44e97cb8d50a54723415ff1fdaaa64171110e470d2355a27734b16240874
- [Contract address] proxy & implementation – proxy 0x129174bcca997e51E4c2849C99f1DDb3A9bA387F, implementation 0x5A954283c8600a96274bb5a1E3CfDE2e0Dc32Ea0
- [Wallet/deployer address] referenced in storage – 0xe9df50db94a4c0b75d0df9a768a37a935c201d05 (Immutable X deployer), and other addresses used in spoofed emits
- [Phishing sites] claim websites – per-token dedicated phishing domains (examples not listed in article) used to request wallet connections and malicious approvals
Check Point’s investigation focuses on the technical mechanics of the scam: attackers broadcast ERC-1155/ ERC-721-style airdrops whose emitted events include misleading “From” information. Because blockchain explorers like Etherscan display event log data produced by Solidity’s emit statements, adversaries can craft TransferSingle/Transfer events that reference reputable deployer addresses (e.g., IMMUTABLE X or Yuga Labs) without actually sending tokens from those entities. This log-based spoofing gives the appearance of legitimacy while the real implementation and control lie elsewhere.
Technical analysis showed the on-chain airdrop transactions were executed via a proxy contract (0x12917…) delegating to an unverified implementation contract (0x5A95…). Decompilation of the implementation revealed a TransferSingle event and an _airdrop parameter stored at STORAGE[0x03]; reading the raw storage via a Python script exposed that _airdrop contained the genuine deployer address (0xe9df50d…), confirming the developer used emits to mislead viewers while the contract logic and state were controlled by the attacker. The unverified implementation and proxy layering are used to obfuscate the actual airdrop logic and hinder quick inspection.
The operational endgame pairs these on-chain deceptions with off-chain phishing: each fake NFT includes a metadata link to a bespoke claim website that prompts users to connect wallets and sign transactions. Once a wallet is connected and a malicious approval is signed, attackers can transfer tokens and drain funds. The combined technique—emit-based source spoofing, proxy/unverified contracts, storage inspection to confirm deception, and phishing claim sites—creates a scalable pipeline for targeting large numbers of token holders. Practitioners should treat unsolicited airdrops with suspicion, avoid connecting wallets to unknown claim sites, and audit contract verification and emitted events before trusting airdrop provenance.
Read more: https://research.checkpoint.com/2024/check-point-research-alerts-on-a-new-nft-airdrop-campaign/