- Phishing sites disguise the private auction function as a mechanism to log in, tricking users into unintentionally giving out their NFTs.
- Anti-theft initiative Harpie alerted NFT users to a new attack involving gasless sales on the OpenSea platform.
- By leveraging the technology, hackers were able to steal millions of dollars in digital assets.
NFTs may be a “ innovation for both buyers and sellers, as well as for NFT markets. But doesn’t anything valuable attract a slew of con artists and fraudsters? The scenario is the same with NFTs.Scams involving NFTs are an issue for people all around the world. Although it is cost-effective, NFT assiduity is not without risk of fraud.
In a statement, the anti-theft project Harpie informed NFT users of a new attack involving gasless sales on the OpenSea platform. According to Harpie, hackers were able to steal millions of dollars in digital assets by abusing the functionality.
Hackers have been able to steal NFTs like magic with a little-known OpenSea feature. It's the newest hack, and multiple millions in Apes have been lost to it already.— Harpie (@harpieio) December 22, 2022
Users who want to perform gasless sales on the OpenSea platform must authorise a signature request with an unreadable message. Users can also use this capability to make private auctions with illegible signatures.
As a result, phishing websites have begun leveraging this functionality to request that their victims sign one of these illegible messages. According to Harpie, the signatures are frequently presented as a requirement for logging in and using the website.
However, the login messages are really signature requests for the fraudster to make a private sale of the victim’s NFTs for 0 Ether. If signed, the NFTs will be sent to the hacker’s wallet address. Several NFT marketplaces have come under fire after customers’ crypto and NFT collections were stolen. a lawsuit was launched against the largest NFT marketplace, OpenSea.