Rogue cryptocurrency billboards go phishing for wallets

Rogue cryptocurrency billboards go phishing for wallets

Billboards and digital real world advertising has raised many questions of privacy and anonymity in recent years. Until now, the primary concern has been (mostly) legal, yet potentially objectionable geolocation and user profiling. Bluetooth beacons work in tandem with geofenced billboards to send you offers. Stores follow your movements and tailor products accordingly, occasionally with very bad results. It’s such a common practice that you even see digital advertising used to track appearing in video games.

Attacks we’ve seen in the real world typically involve QR code stickers and take two main forms:

  • Letters or emails/chat app conversations which direct victims to Bitcoin ATMs. These attacks can often tie into money mule schemes.
  • Real world alteration/tampering of genuine QR codes. This can involve bogus QR code stickers placed over locations you’d expect to see a real code. Parking meters and car parks generally are prime targets for this type of scam.

We can now add rogue billboards to the list.

Beware of the party crashers

NFT NYC describes itself as “the leading annual non-fungible token event”. The 2022 meet-up is the fourth such event to take place. With NFTs hitting boiling point in the media, it’s natural to think scammers would turn their sights on the plundering of incredibly fungible apes and other items of a digital nature.

If you’re up to no good, and you know digital finance is filled with insecure coin-laden wallets and expensive jpegs, this is absolutely something you’re going to take an interest in.

Sure enough:

The screenshot is from a Discord channel, which says:


Reports of scam billboards in NYC with QR codes leading to Wallet Drainer sites.

This is probably a good time to explain what a wallet drainer site is.

Of wallets and draining

Sadly, it seems nobody grabbed a photo of what these scam billboards look like. However, a “wallet drainer” is just another way of saying “phishing website”. There are three ways the majority of cryptocurrency phishes take place:

  1. Airdrop phishing. This can involve entering your wallet’s recovery phrase onto a fake website (don’t do this), or connecting your wallet directly to the phishing portal (don’t do this either).
  2. Bogus giveaways. These claim you’ll double your money, and often say they are endorsed by celebrities or Elon Musk.
  3. Rogue adverts. These bogus advertisements could lead you to either of the above, or even some completely unrelated technique.

People have confirmed in the replies to the original tweet that the theft here depended on victims scanning the code, and then clicking through to the phishing page. The phishing component depended on them manually entering their details into the fake website. It is not the case that simply visiting it would immediately drain funds or cause apes to go walkabout.

Rogue cryptocurrency billboards: A growing trend?

I’m wondering if this is the official cementing of rogue billboards as a digital finance scam technique. You may be surprised to learn this isn’t the first time someone has tried this.

Back in May, cryptocurrency exchange Binance warned of a rash of bogus billboards popping up in Turkey. Scam artists “plastered fake Binance billboards throughout the country”, many of which included a phone number answered by criminals behind the scheme.

The tactic used here was to convince unwary investors to hand over their seed/recovery phrases. Others were asked to register new accounts. Cryptocurrency scams involving new accounts tend to have funds deposited over time. Eventually the scammers have the victim transfer the funds to sites run exclusively by them. No matter which tactic is used, someone pulled in by the billboard has a strong chance of losing out.

This is clearly a technique which is working for phishers no matter the location. If you’re at an event or simply out and about and spot a cryptocurrency billboard, play it safe. Does the billboard mention a digital finance organisation? Check with the organisation if the URL is genuine. If you’re asked for seed/recovery phrases, don’t hand them over. Does the billboard make claims of doubling whatever you deposit? This is almost certainly a scam, especially if tied to a promotion from Elon Musk or TESLA.

Stay safe out there!


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.