The private auction feature is being used by phishing sites to trick users into giving up their NFTs without realizing it.
Nonfungible Tokens (NFTs) have grown in popularity, which has increased the activity of bad actors who constantly try to take advantage of users in the space. The current threat to NFT holders comes from a new hack involving a feature on the NFT marketplace OpenSea.
NFT users were alerted to a new hack involving gasless sales on the OpenSea platform by the anti-theft project Harpie in an announcement. According to Harpie, hackers were able to use the feature to steal millions of dollars worth of digital assets.
Users of the OpenSea platform must approve a signature request with an unintelligible message in order to conduct gasless sales. With the help of this feature, users can also create private auctions with illegible signatures.
Hackers have been able to steal NFTs like magic with a little-known OpenSea feature. It’s the newest hack, and multiple millions in Apes have been lost to it already.
— Harpie (@harpieio) December 22, 2022
In order to ask their victims to sign one of these unreadable messages, phishing websites have been using this feature. The signatures frequently appear as a step necessary to log in and access the website, claims Harpie.
The login messages, on the other hand, are in fact signature requests to carry out a private sale of the victim’s NFTs to the con artist for 0 ETH $1,219 instead. If it is signed, the NFTs will be delivered to the hacker’s wallet address.
Steps Taken By CertiK
In addition to warning the cryptocurrency community about this scam, blockchain security firm CertiK recently released a report on “ice phishing.” Scammers use this exploit to coerce Web3 users into signing permissions that give attackers access to their tokens. The scam, according to CertiK, poses a serious threat and is specific to the Web3 industry.
On December 17, an analyst brought up a scam involving the alleged theft of 14 Bored Ape NFTs using the gas-free Seaport signature feature. Following extensive social engineering, the hacker led the victim to a phony NFT platform before requesting that the holder sign a contract. This was followed by the theft of the victim’s wallet.