Hedera Hashgraph

đź”´ High Risk

The 2025 Hedera Hashgraph NFT airdrop scam underscores critical vulnerabilities in high-throughput distributed ledger technologies, where enterprise-grade speed and governance ironically amplify AML exposure. Criminals exploited Hedera’s unique transaction memo feature—independent of wallet interfaces—to embed phishing URLs in unsolicited HBAR/NFT drops, tricking users into authorizing malicious dApps that drained funds at hashgraph’s blistering TPS rates. Despite U.S.-based council oversight and post-incident TRM Labs integration for wallet screening, the absence of real-time checks pre-2025 enabled rapid layering, evading traditional blockchain forensics and pressuring regulators amid Sweden’s MiCA demands. This case reveals how Hedera’s non-blockchain design, while innovative, bypasses conventional safeguards, demanding stricter VASP compliance and highlighting systemic risks in sanctioned-adjacent networks for geopolitical analysts tracking Russian/European influence vectors.

In June 2025, cybercriminals targeted Hedera Hashgraph (HBAR) users through a sophisticated NFT airdrop phishing scam, as warned by the FBI’s IC3 PSA. Attackers broadcast unsolicited HBAR tokens or NFTs embedded with malicious URLs in Hedera’s transaction memo field—a feature independent of wallet interfaces—luring victims to “claim” rewards via fake dApps. Once connected, users unknowingly approved contracts that drained their non-custodial wallets, exploiting the network’s high-speed hashgraph consensus for rapid fund exfiltration before detection. No specific wallet addresses or aggregate losses were publicly disclosed, though individual drains ranged from thousands to potentially six figures in HBAR value, emphasizing retail and enterprise holder risks.​

Countries Involved

United States (primary reporting via FBI), global victims including potential European users given Hedera’s international network. The FBI’s Internet Crime Complaint Center (IC3) based in the U.S. issued the main alert, but scams targeted Hedera users worldwide through non-custodial wallets. No specific country concentrations noted beyond U.S. enforcement focus, though Hedera’s enterprise ties to Sweden and Europe amplify exposure risks under MiCA. Cybercriminals likely operated from jurisdictions with lax enforcement, such as Eastern Europe or Asia, common in crypto phishing schemes. This cross-border nature complicates prosecution, involving international cooperation via Interpol or Europol if victims surface in EU states like Sweden.

June 2025 (FBI PSA issued around June 3-6, 2025). Initial warnings appeared via FBI cyber alerts and media like Forklog on June 6, 2025. Ongoing reports possible into late 2025, aligning with Hedera’s compliance integrations like TRM Labs in December 2025, suggesting persistent threats despite mitigations.

HBAR

Phishing scam and wallet drainage (cyber fraud). Criminals sent fake NFT airdrops disguised as free rewards, embedding malicious URLs in transaction memos. Victims clicked to “claim” tokens, authorizing dApps that stole funds. Not direct laundering but entry point for illicit flows, bypassing AML via social engineering.

Cybercriminals (unknown actors exploiting Hedera memos); victims (Hedera non-custodial wallet users); Hedera Hashgraph (platform affected, not culpable); FBI (reporting/enforcement); TRM Labs (mitigation partner). No named perpetrator groups, unlike Hydra market cases mentioned in parallel reports.

No. No evidence of politically exposed persons; targeted retail/enterprise HBAR holders, not PEPs.

Phishing via fake airdrops to gain wallet access, then rapid HBAR transfers to attacker-controlled addresses. Hedera’s high-speed hashgraph enables quick movement, potentially bypassing real-time checks pre-TRM integration. Funds likely tumbled through mixers, bridges to other chains, or swapped for privacy coins. Exploited memo field independent of wallets for URL phishing, linking to dApps for approvals. Post-drainage, layering via multiple small txns or DeFi pools to obscure trails.

N/A

Scammers broadcast HBAR/NFT with memos containing phishing URLs; victims interact, approve malicious contracts draining HBAR. Hedera’s gossip-about-gossip protocol records all txns immutably, aiding forensics via tools like TRM Wallet Screening/Forensics. Patterns: unsolicited airdrops to active wallets, memo-embedded lures, immediate post-approval outflows to new addresses. Pre-2025 TRM, high TPS risked evasion; now risk-scored in real-time.

FBI PSA (June 2025) advising verification, avoiding unsolicited memos, reporting to IC3 with tx hashes/addresses. Hedera partnered TRM Labs (Dec 2020/2025 updates) for AML/CFT: transaction monitoring, wallet screening, VASP profiling. No arrests reported specific to this; general crypto fraud probes ongoing. EU MiCA (Sweden focus) mandates similar reporting for CASPs.

Hedera Hashgraph
Case Title / Operation Name:
Hedera Hashgraph
Country(s) Involved:
United Kingdom
Platform / Exchange Used:
Hedera Hashgraph Network (non-custodial wallets, no centralized exchange)
Cryptocurrency Involved:

HBAR

Volume Laundered (USD est.):
N/A
Wallet Addresses / TxIDs :
N/A
Method of Laundering:

Phishing via malicious memos in HBAR/NFT airdrops; wallet drainage post-dApp approval; rapid HBAR transfers for layering

Source of Funds:

Stolen from Hedera users (retail/enterprise HBAR holders); entry for further laundering

Associated Shell Companies:

N/A

PEPs or Individuals Involved:

No PEP involvement confirmed

Law Enforcement / Regulatory Action:
FBI IC3 PSA (June 2025): Verify memos, report tx details; Hedera-TRM Labs integration for screening
Year of Occurrence:
2025
Ongoing Case:
Unsolved
AML Network Risk Rating:
đź”´ High Risk
Quick Links:
Popular Pages:
Disclaimer & Legal:
Facebook-f Twitter Youtube Pinterest-p Instagram Tiktok
© 2025 AML Network. – All Rights Reserved.