Hackers in the crypto ecosystem are constantly increasing their ingenuity. They have understood that NFT holders are prime targets for their attacks. This is how every week we see new methods emerge to steal your precious crypto-currencies.
Nft: the domain of choice for hackers
NFTs were by far the most vibrant trend of the last bull run. What’s more, they have managed to democratize outside the barriers of the cryptocurrency ecosystem.
Obviously, their democratization has attracted many new users and consequently, potential victims for hackers.
Thus, we have seen the emergence of many types of scams related to the NFT ecosystem. In particular, the Discord platform has been a prime target for the publication of phishing links.
At the same time, many scams have flourished on Twitter with the aim of stealing cryptocurrencies and NFTs.
Airdrop of nft: beware of scams
Of course, hackers are always looking for new ways to steal your cryptocurrencies.
For example, in early October, user @0xQuit revealed a new scam method through a Twitter thread.
“Some of you have received airdrops from NFT with juicy WETH offers. Obviously, you’ve probably wondered if it’s safe to accept them. I still see a ton of misinformation floating around about this. Let’s clarify how these are scams and how it works.”
Airdrop from nft and juicy offers
Many users have been surprised to receive free NFT on their Ethereum address. If you are active in the NFT ecosystem you probably figured that this was the airdrop of a project related to one of your NFTs.
However, this is a well-executed scam.
The attacker will generously send you an NFT from a new, previously unknown collection.
Some time after receiving this NFT, you will see a juicy offer to buy this NFT. Obviously, it is tempting to accept this offer and pocket the winnings.
Accepting the offer: real risk or distraction?
Obviously, the first question to ask is: what are the risks involved in accepting this offer?
The answer is surprising, to say the least: there is no risk.
“It is important to know that accepting a WETH offer can NEVER compromise you out of another NFT, unless that NFT has a terribly incompetent development team.”
Indeed, in order for the attacker to siphon your wallet he must somehow get your approval. Accepting an OpenSea offer on one of your NFTs does not grant him the right to access your other NFTs.
But then you can accept the offer and sell the NFT to the attacker? Yes, but no. This is because these NFTs have a special design. So, if you are not included in a list of wallets specified in the contract of the collection you are not able to sell the NFT. Therefore, the NFT belongs to you, but the collection is made in such a way that you can’t sell it.
In reality, the airdrop of this NFT and the tempting offer are just detour to make you fall for the real scam.
Phishing scam: the classic case
Indeed, the scam is not in the NFT or in the offer. However, these two elements are there to get your attention. Indeed, you will probably try to find out more about the project that sent you this NFT.
In addition, you may have noticed that you couldn’t accept the offer and are looking for a way to unblock the situation.
This is where the attacker hopes you fall for the scam. Thus, the scam is located in the description of the NFT collection. On the NFT OpenSea page, we can read the description of the collection. Surprise, at the end of it a link allows you to get more details about this surprising collection.
That’s where the scam starts. Indeed, once on the site, it requires a signature from the user to interact with the site. As you can imagine, this is the end of the scam. In fact, this transaction is nothing more than a “setApprovalForAll” that would grant the attacker the right to take control of all your NFTs.
Caution is the mother of safety
As we have just seen, hackers find ways to lower our vigilance. So, in this case, the free NFT and the tempting offer are there to lower your vigilance.
The tempting offer is created to generate curiosity on your part. Coupled with the lure of a potential gain, the attacker hopes that you will lower your guard to better fall into his trap which is nothing more than a simple phishing link.
As always, remain vigilant. It is essential to always check the type of transaction you are signing. If in doubt, do nothing and do some research beforehand.
Phishing attacks are wreaking havoc in the NFT ecosystem. Between May and June 2022, hackers managed to steal as much as $22 million via phishing attacks on Discord alone.