In a double whammy for the blockchain community, two phishing attacks targeting non-fungible tokens (NFTs) have been reported today. PeckShieldAlert reports the theft of 7,304 Meebits and 185 CryptoPhunks in a brazen phishing attack. The assailant, operating under the moniker ‘Fake_Phishing187019’, successfully executed the heist on the Blur platform.
#PeckShieldAlert #Phishing #NFT #Meebits #7304 and #CryptoPhunks #185 have been stolen by #Fake_Phishing187019 on #Blur pic.twitter.com/SPFzxNykgo
— PeckShieldAlert (@PeckShieldAlert) December 19, 2023
The stolen NFTs, valued for their uniqueness and rarity, are now under the control of the malicious actor, leaving their original owners in despair. Simultaneously, PeckShieldAlert reported an ongoing attack utilizing ERC2771 and multiple techniques. This sophisticated assault has already claimed 85 0XLBOTS and 152 CypherpunkZero NFTs.
#PeckShieldAlert We’re observing an ongoing ERC2771 + multicall attack targeting #NFTs in the wild.
It has already stolen 85 #0XLBOTS and 152 #CypherpunkZero. pic.twitter.com/05IrYt2pXH— PeckShieldAlert (@PeckShieldAlert) December 19, 2023
The scale and precision of the attack have raised concerns within the blockchain community, prompting heightened security measures across various NFT platforms.
NFT Phishing Schemes on The Rise
Adding to the situation’s complexity, the attacks come on the heels of an incident just a day ago. Several Bored Apes and Pudgy Penguins fell victim to an abuse of the Floor Protocol, leading to their unlawful acquisition by a wallet linked to a phishing scheme. The compromise in the NFT protocol, attributed to an improper contract update initiated by the NFT marketplace founder known as “foobar,” paved the way for this exploit.
In an effort to rectify the situation, “foobar” has identified the wallet housing the stolen Bored Apes and Pudgy Penguins on etherscan. The implications of this security lapse underscore the vulnerabilities within the NFT ecosystem, emphasizing the need for a robust and proactive approach to cybersecurity.
vuln was bad upgrade 11 days ago that allowed multicalling to external contracts
simple: nftContract.transferFrom(nftHolder, me, tokenId)
and bc nftHolder approved flooring, it would succeed
left image is safe internal multicall
right image is unsafe external multicall pic.twitter.com/gEHHZyLzDc— foobar (@0xfoobar) December 17, 2023
As the blockchain community grapples with these successive incidents, stakeholders are urged to remain vigilant and prioritize security measures to safeguard the integrity of the rapidly growing NFT space. PeckShieldAlert continues to monitor the situation closely and advises users to exercise caution in their transactions to mitigate the risks posed by malicious actors.
