A new threat has appeared on OpenSea. Hackers scam NFTs under the guise of private auctions

Analysts from Harpie told about a new trick of hackersThey use an unreadable sign request to swindle tokens on OpenSeaStolen already several million NFTsYesterday, December 22, the experts of the “first on-chain firewall” Harpie issued a warning to users of the OpenSea marketplace. Cases have become more frequent on the site when hackers lure out NFTs under the guise of private auctions. According to Harpie, in this way the attackers lured “millions” of tokens. The exact amount of damage is unknown, but it is in the tens of millions of dollars. At the same time, the essence of fraud is simple.. The criminals built their scheme around the gas-free sale function, which is in the smart contract of the marketplace. To conduct it, the user must approve the request. It's just that nothing is clear from it because of the unreadable text. Here is an example: At first glance, it seems that this is a harmless authorization. But it's not like that. By clicking “Sign”, the user confirms the transfer of NFT to the attacker for 0 ETH. This is possible because the function is available for private auctions, the organizers of which can set any price for the token. Thus, the criminals “pumped out” millions of NFTs. Avoiding such a trick is quite simple – you need to be very careful about each signature request.. Moreover, phishing cases have become more frequent. We talked about another popular scheme recently.