New NFT private auction scam threatens OpenSea users

Published at: Dec. 23, 2022

As nonfungible tokens (NFTs) became more popular, bad actors who constantly try to exploit users within the space have become more active. Now, a new hack involving a feature on the NFT marketplace OpenSea threatens NFT holders through phishing sites. 

In an announcement, anti-theft project Harpie warned NFT users of a new hack involving gasless sales on the OpenSea platform. According to Harpie, hackers were able to steal millions in digital assets by exploiting the feature.

When users want to conduct gasless sales within the OpenSea platform, they are required to approve a signature request with an unreadable message. With this feature, users are also able to allowed to create private auctions with unreadable signatures.

Hackers have been able to steal NFTs like magic with a little-known OpenSea feature. It's the newest hack, and multiple millions in Apes have been lost to it already.(1/4) pic.twitter.com/fTK20WQrgh

— Harpie (@harpieio) December 22, 2022

Because of this, phishing websites have been using this feature to ask their victims to sign one of these unreadable messages. According to Harpie, the signatures often pose as a step required to log in and access the website. 

However, the login messages are actually signature requests to conduct a private sale of the victim's NFTs to the scammer for 0 Ether (ETH). If signed, it will send the NFTs to the hacker's wallet address.

Related: Projects would rather get hacked than pay bounties, Web3 developer claims

Apart from this scam, blockchain security company CertiK has also recently issued a warning to the crypto community over what they describe as "ice phishing." Through this exploit, scammers trick Web3 users into signing permissions that allow the attackers to spend their tokens. CertiK noted that the scam is a significant threat and is unique to the Web3 world.

Back on Dec. 17, an analyst brought up how a scammer used the gas-less Seaport signature feature to allegedly steal 14 Bored Ape NFTs. After performing thorough social engineering, the hacker directed the victim to a fake NFT platform before asking the holder to sign a contract. This was followed by the victim’s wallet being drained.

Tags
Nft
Related Posts
Moonbirds creator Kevin Rose loses $1.1M+ in NFTs after 1 wrong move
Kevin Rose, the co-founder of the nonfungible token (NFT) collection Moonbirds, has fallen victim to a phishing scam leading to more than $1.1 million worth of his personal NFTs stolen. The NFT creator and PROOF co-founder shared the news with his 1.6 million Twitter followers on Jan. 25 asking them to avoid buying any Squiggles NFTs until they manage to get them flagged as stolen. I was just hacked, stay tuned for details - please avoid buying any squiggles until we get them flagged (just lost 25) + a few other NFTs (an autoglyph) ... — KΞVIN R◎SE (,) (@kevinrose) …
Blockchain / Jan. 26, 2023
Industry exec explains why NFT fraud protection falls on brand and not marketplaces
Nonfungible token (NFT) marketplaces should commit to combat fraudulent NFTs, but brands are far more responsible for protecting NFT investors, according to one industry executive. Brands that issue NFTs should be taking the first step to protecting themselves and potential investors from fraud, BrandShield CEO Yoav Keren said in an interview with Cointelegraph on Oct. 12. According to Keren, it’s more straightforward for a brand to recognize NFTs that were not released by the company itself rather than marketplaces like OpenSea or Rarible. NFT marketplaces usually have fewer insights into which brands are creating NFTs when they are launching and …
Nft / Oct. 14, 2022
Nifty News: Fake Pokémon NFT game spreads malware, ‘Jai Ho’ singer to launch metaverse and more
Hackers hide malware in fake NFT game A phishing website purporting to offer a Pokémon-branded nonfungible token (NFT) card game has been spreading malware to unsuspecting gamers, a cybersecurity firm has warned. The website, which at the time of writing was still online, also claims to offer an NFT marketplace, with a link to buy tokens and even an area to stake NFTs all based on the popular Japanese media franchise. However, an arm of the South Korean cybersecurity firm AhnLab, warned the public about website on Jan. 6, noting that instead of downloading the game, users were actually downloading …
Music / Jan. 9, 2023
Porsche NFT trading volume nears $5M: Nifty Newsletter, Jan 25–31
In this week’s newsletter, read about how Moonbirds founder Kevin Rose lost nonfungible tokens (NFTs) worth more than $1.1 million. Find out why an NFT collector is suing NFT marketplace OpenSea over locking his account for three months and how the Porsche NFT collection gained almost $5 million in sales volume, despite a failed launch. In other news, find out how NFT trademarks could potentially be a reliable signal for NFT traders. Lastly, professionals within the Web3 space shared various ways to combat NFT theft. Moonbirds creator Kevin Rose loses $1.1M+ in NFTs after one wrong move Moonbirds co-founder Kevin …
Nft / Feb. 2, 2023
'Haunts me to this day' — Crypto project hacked for $4M in a hotel lobby
The co-founder of Web3 metaverse game engine “Webaverse” has revealed they were victims of a $4 million crypto h after meeting with scammers posing as investors in a hotel lobby in Rome. The bizarre aspect of the story, according to co-founder Ahad Shams, is that the crypto was stolen from a newly set up Trust Wallet and that the hack took place during the meeting at some point. He claims the thieves could not have possibly seen the private key, nor was he connected to a public WiFi network at the time. The thieves were somehow able to gain access …
Nft / Feb. 7, 2023