A Non-Fungible Token (NFT) is a unique and non-interchangeable cryptographic asset on a blockchain. As NFTs continue to grow in popularity, NFT users have become targets of phishing attacks by cybercriminals, called NFT drainers. Over the last year, $100 million worth of NFTs were stolen by drainers, and their presence remains a serious threat to the NFT trading space. Since NFTs are different from cryptocurrencies, existing work on detecting Ethereum phishing scammers is unsuitable to detect NFT drainers. Moreover, no work has yet comprehensively investigated the behaviors of drainers in the NFT ecosystem.
In this paper, we present the first study on the trading behavior of NFT drainers. We also present the first dedicated NFT drainer detection system: DRAINCLoG. We extract data of 83M NFT transactions from the Ethereum blockchain and collect 742 drainer accounts from five sources. We find drainers have significantly different trading behaviors compared to regular users. Generally, drainers sell their NFTs much quicker, cheaper, and while utilizing alternate accounts. Our findings suggest that relationships in the NFT ecosystem are critical in detecting NFT drainers. With the insights gained from our analysis, we design an automatic drainer detection system that uses graph neural networks to capture the complex relationships in the NFT ecosystem. Our model, DRAINCLoG, effectively captures NFT transaction contexts and social contexts using a user-NFT graph and a user graph, respectively. Evaluated on real-world NFT transaction data, DRAINCLoG significantly outperforms the baselines of Ethereum phishing account detection models.