Sleepdropping scam costs Ethereum users $11.5 million

Cybersecurity firms Forta Network and Blockfence have disclosed how a sophisticated scam, coined “sleepdropping,” has cost Ethereum users $11.5 million since its first detection in December 2022. The insidious operation centers on ERC-1155 tokens, often disguised as legitimate NFTs. Alarmingly, these fraudulent airdrops have reached over 500,000 addresses. The tactics deployed by the scammers expose the Achilles’ heel of smart contracts, even as they continue to gain mainstream acceptance.

A critical facet of this scam is the fraudulent website that deceives users into engaging in risky financial transactions. On the surface, these websites are legitimate platforms. However, once users engage with these sites, their funds end up in the pockets of unknown fraudsters. Over 20,000 users have already fallen prey to this intricate scam.

Interestingly, the scammers have even replicated a genuine Lido NFT token as a “badge” for a supposed airdrop, extending the web of deceit. While the NFT itself poses no direct risk to the user’s financial assets, the real danger lies in the secondary interactions it encourages. Users who believe the airdrop is genuine may claim harmful tokens on phishing sites. The scam transforms a harmless token into a lure that pulls users into a financial trap.

What complicates the matter further is the seemingly authentic nature of the smart contracts used to disseminate these tokens. In some instances, these contracts mimicked legitimate airdrops from reputable sources, such as those that rewarded early Lido stakers in 2021. According to Forta Network, an observant user might even see the tokens coming from a legitimate source, highlighting the depths these scammers are willing to feign authenticity.

The research conducted by Forta and Blockfence has identified more than a hundred unique smart contracts connected to this scam. These contracts share similar deployment characteristics, providing clues to the scam’s modus operandi. The scam unfolds in three main stages, which are as follows: fraudulent airdrop operations, deceptive websites, and malicious contracts that ultimately siphon off users’ funds.