Phishing sites are making the private auction feature look like a way to log in, luring victims to give up their NFT unknowingly.
As nonfungible tokens (NFT) gained popularity, bad actors who frequently attempt to take advantage of individuals within the ecosystem have increased in activity.
Currently, NFT holders are at risk due to a new hack involving a feature on the NFT marketplace OpenSea through phishing websites. Anti-theft initiative Harpie alerted NFT users to a fresh attack involving gasless purchases made through the OpenSea platform.
Harpie claims that by taking use of the functionality, hackers were able to steal millions in digital assets. Users must approve a signature request with an unintelligible message in order to make gasless sales on the OpenSea platform. Users can also make private auctions with unreadable signatures using this capability.
Due to this, phishing websites have been requesting that their victims sign one of these incomprehensible letters using this functionality. Harpie claims that the signatures are frequently presented as a step necessary to log in and access the website.
The login messages, however, are simply signature requests for the victim to execute a private sale of their NFTs to the con artist for 0 ETH ($1,218 ETH). The NFTs will be delivered to the hacker’s wallet address if it is signed.
In addition to this fraud, the blockchain security firm CertiK recently warned the cryptocurrency community about a practice they call “ice phishing.” By using this exploit, con artists get Web3 users to sign permissions that give the attackers the right to use their tokens.
The scam, according to CertiK, is specific to the Web3 industry and poses a serious threat. On December 17, an analyst pointed out how a con artist allegedly stole 14 Bored Ape NFTs using the gas-less Seaport signature feature.
The hacker conducted extensive social engineering before leading the victim to a phony NFT site and having the holder sign a contract. The victim’s wallet was then stolen after that.
