There's a Strange NFT in Your Wallet. Here's What Not to Do.
There Is a Strange NFT in Your Wallet. Here's What Not to Do.
Attackers use automated tools to send unsolicited NFTs to thousands — sometimes hundreds of thousands — of wallet addresses at once. Ethereum is the most common target because it has the largest number of active addresses and the most publicly visible on-chain activity. But the same pattern occurs on Solana, BNB Chain, Polygon, and others.
The NFT arrives without warning. You did nothing to receive it. That is the point. It is designed to look interesting, valuable, or urgent enough that you want to do something with it.
Most malicious NFTs fall into one of two categories, and both are designed around the same basic trap.
The first type contains a link. The NFT's description, metadata, or displayed name includes a URL — sometimes disguised as a claim page, a reward portal, or a verification step. The message might say you've been selected for an exclusive airdrop, that there are unclaimed funds waiting for you, or that you need to verify ownership to receive something. The link goes to a phishing site that looks convincing. When you connect your wallet and sign the transaction it requests, you are authorizing a malicious contract to drain your funds. The transaction is irreversible.
The second type is the NFT itself. Some malicious NFTs are built with embedded smart contract logic that activates when you interact with the asset — when you try to sell it on a marketplace, transfer it to another address, or in some cases even when you view its details inside certain wallet interfaces. That interaction triggers the contract, which may grant the attacker unlimited approval to move your tokens. By the time you realize what happened, the funds are already gone.
In both cases, the NFT is not the payload. It is the lure. The payload is whatever happens the moment you engage with it.
The psychology behind this attack is straightforward, and it targets reactions that are completely natural.
Curiosity is the most common trigger. You open your wallet, see something you don't recognize, and want to know what it is. Is it valuable? Is it from a project you've heard of? Did someone send it to you by mistake?
Anxiety is the second trigger. Some users, especially newer ones, feel that having an unknown NFT in their wallet is a problem that needs to be solved. They want to get rid of it. So they try to sell it, burn it, or transfer it away — and that attempt is exactly what the attacker was waiting for.
Fear of missing out is the third. If the NFT claims to be from a well-known project, or shows a floor price that looks real, the instinct to act before the opportunity disappears can override the instinct to pause and think.
All three reactions lead to the same place: interaction. And interaction is the mechanism.
In 2023, attackers used a compromised X account belonging to Vitalik Buterin to promote a fake NFT airdrop. The post created urgency, appeared legitimate, and linked users to a malicious site. Within hours, users who connected their wallets lost around $700,000 in assets.
The pattern is always similar. The NFT or message creates perceived legitimacy. Urgency removes hesitation. Wallet connection and transaction signing complete the theft.
The safest response is usually the simplest: do nothing.
An NFT sitting untouched in your wallet cannot harm you. It is simply an entry on the blockchain unless you interact with it. You do not need to sell it, transfer it, or burn it.
If you want to investigate safely, look up the NFT's contract address using a block explorer such as Etherscan — without connecting your wallet or clicking links contained in the NFT itself. In many cases, the contract will show clear signs of being recently deployed or unverified.
If you want to review suspicious assets in your wallet safely, ZenRealm's Suspicious Asset Check allows you to inspect wallet contents without connecting your wallet or signing transactions.
The rule is simple: if you didn't ask for it, don't touch it.