A significant number of users on the crypto analytics platform Nansen have reported receiving phishing emails from scammers offering participation in a non-existent "Nansen Airdrop." On November 23, the crypto community on X (formerly Twitter) highlighted an ongoing phishing scam specifically targeting Nansen users. Scammers are assuming the identity of Nansen and sending fraudulent invitations to exclusive airdrop events.
The legitimacy of this scam was confirmed by Cryptocurrency Investigator’s Notes (Officercia), which initially alerted the community about the ongoing phishing attack. The investigator suspected that leaked user data from third-party databases was used to specifically target Nansen users.
An earlier security breach on September 22 affected approximately 7% of Nansen's user base due to a security lapse in one of its third-party vendors. This breach exposed the email addresses of the affected users, alongside some password hashes, and leaked blockchain addresses for some individuals. Nansen assured that all affected users would be identified and notified, with an insistence on password changes, while affirming that the incident did not impact users' wallet funds. Notably, a screenshot of the phishing email impersonating Nansen shows the sender's address as "mail@networkforgood.com," entirely unrelated to the original platform.
The phishing email promises users a guaranteed allocation of fabricated NANSEN tokens within the next 48 hours and includes a link that redirects users to a potentially manipulated website. In response, Officercia recommended reporting any suspected phishing links to platforms like chainabuse.com, cryptoscamdb.org, and phishtank.org, aiming to help prevent the success of such attacks within the internet community. Following recent data leaks involving platforms such as TrueCoin and FTX bankruptcy claims, more cryptocurrency investors have become potential targets for phishing attempts. However, Friend.tech refuted claims of a compromised database of over 100,000 users, asserting that the alleged data originated from public API scraping, akin to viewing a public Twitter feed, and was not a result of an attack.
