X account tied to rapper Nelly compromised, used for crypto phishing scam

Quick Take

  • An X (formerly Twitter) account associated with American rapper Nelly was compromised.
  • The hacker used the account to lure people to a crypto phishing site. 

An X (formerly Twitter) account associated with American rapper Nelly was compromised, with the hacker using the profile for social engineering attacks and lure people to a crypto phishing site, on-chain investigator ZachXBT noted.

The attacker also altered Nelly’s profile to pose as a security analyst for Scam Sniffer — a web-based security solution. “On-chain security analyst. Helping you catch scammers @realscamsniffer,” the bio read. However, the profile seems to have been deleted or otherwise removed, and now says the account doesn’t exist.

Cornell Iral Haynes Jr., better known by his stage name Nelly, has released eight studio albums throughout his career, winning multiple accolades including three Grammy Awards and nine Billboard Music Awards.

Nelly’s profile before being taken down. Image: ZachXBT

Furthermore, ZachXBT cited two messages sent by the scammer to people, trying to claim that they were investigating wallet approval compromises on recipients’ addresses. This was also in an attempt to steal funds by getting users to sign malicious transactions.

“@NellioETH is compromised and pretending to be a member of ScamSniffer. They are trying to message people in an attempt to social engineer them into using a phishing site,” Scam Sniffer stated on X, confirming ZachXBT’s report. “Please always make sure you are visiting scamsniffer.io.”


Keep up with the latest news, trends, charts and views on crypto and DeFi with a new biweekly newsletter from The Block's Frank Chaparro

By signing-up you agree to our Terms of Service and Privacy Policy
By signing-up you agree to our Terms of Service and Privacy Policy

"Nelly's account was hacked and falsely rebranded to appear affiliated with the Scam Sniffer team (@realScamSniffer). The malicious actors are now sending direct messages to individuals, specifically targeting those with known .eth addresses, falsely warning them of a compromise," Dave Schwed, COO at blockchain security firm Halborn told The Block. "They then guide these individuals to a fake site that mimics ScamSniffer, but with a different top-level domain (TLD) name. Once users 'scan' their address on this fraudulent site, a fabricated compromise is reported. When unsuspecting users connect their wallets and attempt to 'revoke' permissions, they inadvertently grant scammers access to their tokens."

"This isn't a technologically sophisticated attack, but rather a social engineering tactic. It capitalizes on the trust inspired by Nelly's significant follower count and a deceptive website resembling a genuine one. A simple Google search for the authentic ScamSniffer site would reveal the discrepancy in top-level domains (TLD)." Schwed added.

Representatives for Nelly did not return a request for comment from The Block.

Updated with comments from the COO of Halborn.

© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

About Author

James Hunt is a reporter at The Block, based in the UK. As the writer behind The Daily newsletter, James also keeps you up to speed on the latest crypto news every weekday. Prior to joining The Block in 2022, James spent four years as a freelance writer in the industry, contributing to both publications and crypto project content. James’ coverage spans everything from Bitcoin and Ethereum to Layer 2 scaling solutions, avant-garde DeFi protocols, evolving DAO governance structures, trending NFTs and memecoins, regulatory landscapes, crypto company deals and the immersive metaverse. You can get in touch with James on Twitter or Telegram via @humanjets or email him at [email protected].


To contact the editor of this story:
Vishal Chawla at
[email protected]