How to avoid NFT Phishing Hacks — Bored Ape Yacht

Introduction

On April 25, 2022 Bored Ape Yacht Club’s official Instagram account was hacked. A hacker stole 91 NFTs from users who connected their wallet to receive the fake airdrop.

A hacker has stolen 91 NFTs worth at least $2.8 million through a phishing attack targeting Bored Ape Yacht Club owners today. It was carried out through the official Bored Ape Instagram account.

In this article we are going to cover two attacking vectors typical for Phishing websites and how you can detect them (and hopefully avoid them)

Method 1 — Using Approve Directly

Approve

In the token interface and NFT interface there’s an Approve function. This function gives an allowance to another wallet to spend / use your NFT. After you give an approval, the address you approved to can transfer the NFT you owned on your behalf.

The Attack

Usually in this method the phishing site ask you to give permission to access your NFT to the attacker wallet.

Detection on Metamask

The Attack

The method most of the phishing website use is quite basic.

The attacker wallet: https://etherscan.io/address/0x8c7934611b6ad70fbea13a1593de167a4689b9a9

Phishing tx: https://etherscan.io/tx/0x2eb0526a58bfcc91b3e554d8f82bef12c9e70efc5414177d5fdbca095a8b3ef2

Method #2 — Using SafeTransferFrom Directly

safeTransfeFrom / safeTransfer

safeTransferFrom function simply transfer the NFT to the attacker wallet.

The Attack

Usually in this method the phishing site ask you to safeTransferFrom or safeTransfer the NFT to the attacker.

Detection on Metamask

Summary

You should always make sure you understand the consequences and the side effects of the operation before confirming the transaction on metamask. Another way is to check the contract you are interacting with, in most cases the contract you are interacting with won’t be verified.

About Solid Group

Solid Group is a blockchain consulting and auditing service provider founded by cybersecurity experts with a great passion for the cryptocurrency world. We are known for our exceptional out of the box thinking, experience, and our credibility among the community. Throughout our work, our team was able to discover many high severity issues & vulnerabilities. We work with leading companies in the field, helping them increase their resilience through tailored services and solutions.

‌Solid Group provides ALL IN ONE ICO SOLUTION -

  • audited token generator ( Generate your own token with NO CODING KNOWLEDGE)
  • sniper bot protection tool
  • Smart contract auditing service

🌍 solidgrp.io | 🐦 Twitter | 📣 Telegram Group | ✉️ info@solidgrp.io

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store