OpenSea, the biggest NFT marketplace there is, constantly finds itself under threat from notorious cyber actors. A new kind of scam is looming over the visitors of OpenSea, that offers ‘gasless sales’ on the platform and eventually redirects the victims to phishing sites. Built on the blockchain tech, NFTs are digital collectibles that hold financial value and could also be used in metaverses. Web3 scammers are known to have been invading the NFT sector to churn big profits from one act of theft.
Harpie, the anti-theft platform, sounded an alert about this ongoing scam to warn the bunch of OpenSea visitors, browsing for NFTs, as well as buyers, and sellers.
OpenSea has a feature to conduct gasless sales, where NFT sellers can rid their buyers of paying the platform fees, by doing that themselves.
As part of the reportedly ongoing scam, hackers are tricking people to sign an unreadable message. Gasless NFTs are likely to attract first-time buyers signature request.
Users can also set up private auctions with custom prices with these unreadable signatures required for approving gasless transactions.
“Phishing websites will ask victims to sign a harmless-looking “login signature” to access their site. But this login signature is actually a request to private-sale your NFT for 0 ETH to the hacker’s address,” Harpie wrote in a Twitter post.
The platform also claimed that in recent times, multiple ‘Apes’ NFTs, potentially from the Bored Apes Yacht Club collection have been stolen out of OpenSea.
Hackers have been able to steal NFTs like magic with a little-known OpenSea feature. It’s the newest hack, and multiple millions in Apes have been lost to it already.
— Harpie (@harpieio) December 22, 2022
The exact number of NFTs stolen or users affected remain undisclosed.
As of now, OpenSea has not addressed Harpie’s concerns.
This is not the first time, however, that OpenSea has come face-to-face with a hack threat.
In February, at least 32 users of OpenSea lost their holdings worth $1.7 million (roughly Rs. 12.5 crore) to a phishing attack. The company, at the time, had claimed that the attack happened from outside the website, where attackers lured in users to malicious agreements.
In August, the OpenSea decided to involve police officials in theft cases of all magnitudes, rather than on cases only with escalated disputes.
The change was aimed at ensuring that users are safeguarded against the risks of mistakenly buying stolen digital collectibles.