The NFT marketplace OpenSea was hit by a phishing attack, in which hackers stole non-fungible tokens from the Bored Ape Yacht Club (BAYC) collection worth several million dollars. Harpie, a project that tracks on-chain theft, reported this.
Researchers say the breach is linked to the ability to sell NFTs without paying a commission.
To execute such a transaction, users must approve a signature request with an unreadable message. This same feature also enables private auctions with non-standard pricing.
Hackers create phishing sites that allegedly require signing an unreadable message under the pretense of logging in. In effect, by signing, the user consents to a private sale of the NFT to the fraudster for 0 ETH.
“Hackers were able to steal NFTs using a little-known OpenSea feature. This is the latest hack, and millions of Apes have already been lost because of it,” Harpie said.
In August, Immunefi bug-bounty researchers valued 143 BAYC tokens that OpenSea flagged as suspicious activity, at $13.58 million.
Follow ForkLog’s bitcoin news on our Telegram — cryptocurrency news, prices and analysis.