Attackers have found a new loophole to steal NFTs from OpenSea users through phishing websites. Harpie, an on-chain firewall and analyst, reports on multiple Bored Apes worth millions of dollars stolen through it.
The world’s biggest marketplace recently introduced a private auction feature with an unreadable signature message, allowing users to sell their NFTs without paying for gas. However, this feature is causing much greater loss to users due to phishing attacks.
Since this auction shows unreadable messages, the users sign on to the website, thinking it is a login method and without double-checking whether it’s legit or not. According to Harpie, the signature on phishing links is actually a private sale to transfer NFTs for 0 ETH to the attacker’s wallet.
OpenSea hasn’t addressed the issue yet, so users are required to take their own safety measures to prevent them from becoming victims of this raid.
There has been a rising concern over NFT scams and attacks. Recently, a scammer used 1-month of social engineering to manipulate Bored Ape owners and managed to steal 14 NFTs.
As the popularity of NFTs rise, scams are also becoming more complex; therefore, there’s a dire need for regulation and safety.