Harpie is alerting NFT users of fresh tricks used by hackers involving gasless purchases on OpenSea. The platform claims that hackers have subsequently stolen millions worth of Apes in the past few months.
Typically, users have to approve a signature request with an unintelligible message to make gasless sales on the popular NFT marketplace, OpenSea, and also create private auctions. Signatures are frequently presented as necessary steps to log in and use the website.
By taking advantage of this technical loophole, phishing websites have begun requesting victims to sign one of these incomprehensible characters, unknowingly.
Login messages sent by hackers to victims are signature requests requesting the user to approve private sales and immediate transfer of assets to the hacker account for free.
This trick and phishing campaign, Harpie notes, has led to millions of value worth of Apes transferred from the popular NFT marketplace.
Web3 users should watch out for ice phishing
After a recent phishing attack on Metamask, the blockchain security firm CertiK recently warned the cryptocurrency community about a practice they call “ice phishing.”
Using this vulnerability, con artists get Web3 users to sign permissions that give the attackers the right to use their tokens. The fraud, according to CertiK, is exclusive to the Web3 industry and poses a severe danger.
On December 17, an analyst pointed out how a con artist reportedly stole 14 Bored Ape NFTs using the gas-less Seaport signature function.
The hacker conducted extensive social engineering before leading the victim to a phony NFT platform and requesting the account used to enter into a contract. The victim’s wallet was then stolen after that.