In a double blow to the blockchain community, two phishing attacks targeting non-fungible tokens (NFTs) were reported today. PeckShieldAlert reports the theft of 7,304 Meebits and 185 CryptoPhunks in a brazen phishing attack. The attacker, operating under the name ‘Fake_Phishing187019’, successfully carried out the heist on the Blur platform.
#PeckShieldAlert #Phishing #NFT #Meebits #7304 and #CryptoPhunks #185 were stolen by #Fake_Phishing187019 on #Blur pic.twitter.com/SPFzxNykgo
— PeckShieldAlert (@PeckShieldAlert) December 19, 2023
The stolen NFTs, prized for their uniqueness and rarity, are now under the control of the malicious actor, leaving their original owners desperate. At the same time, PeckShieldAlert reported an ongoing attack using ERC2771 and multiple techniques. This advanced attack has already claimed 85 0XLBOTS and 152 CypherpunkZero NFTs.
#PeckShieldAlert We are observing an ongoing ERC2771+ multicall attack targeting #NFTs in the wild.
It has already stolen 85 #0XLBOTS and 152 #CypherpunkZero. pic.twitter.com/05IrYt2pXH— PeckShieldAlert (@PeckShieldAlert) December 19, 2023
The scale and precision of the attack have raised concerns within the blockchain community, leading to increased security measures on several NFT platforms.
NFT phishing schemes are on the rise
What further complicates the situation is that the attacks follow an incident that occurred just a day ago. Several Bored Apes and Pudgy Penguins fell victim to Floor Protocol abuse, leading to their unlawful acquisition by a wallet linked to a phishing scheme. The compromise in the NFT protocol, attributed to an improper contract update initiated by the founder of the NFT marketplace known as ‘foobar’, paved the way for this exploit.
In an attempt to rectify the situation, “foobar” has identified the wallet containing the stolen Bored Apes and Pudgy Penguins on etherscan. The implications of this security lapse underscore the vulnerabilities within the NFT ecosystem and highlight the need for a robust and proactive approach to cybersecurity.
vuln was a bad upgrade 11 days ago that allowed multicalling to external contracts
simple: nftContract.transferFrom(nftHolder, i, tokenId)
and bc nftHolder approved floors, it would work
left image is secure internal multicall
right image is unsafe remote multicall pic.twitter.com/gEHHZyLzDc— foobar (@0xfoobar) December 17, 2023
As the blockchain community grapples with these back-to-back incidents, stakeholders are urged to remain vigilant and prioritize security measures to protect the integrity of the fast-growing NFT space. PeckShieldAlert continues to monitor the situation closely and advises users to exercise caution in their transactions to limit the risks from malicious actors.
