NFT Traders, Beware of Social Engineering Hacks
Holders of blue-chip non-fungible tokens (NFTs) have long been targets of various types of attacks given the value of their possessions – and now scammers seem to have found new loopholes to take advantage of.
A popular vector of attack for scammers has so far been malicious links, where scammers hack into a project’s social platforms and publish phishing links – as previously happened to Solana-based NFT collection Monkey Kingdom.
However, more recently, there seems to be a trend where scammers try to exploit loopholes in the UX (user experience) / UI (user interface) design of NFT platforms to steal valuable collectibles from potential users.
Just earlier this year, scammers were able to exploit an issue related to the UI design of major NFT marketplace OpenSea to buy NFTs for old listing prices, which were far below the collection’s floor price.
In a similar manner, a Bored Ape Yacht Club (BAYC) NFT holder recently lost three of their valuable NFTs largely due to the poor UI/UX design of an NFT platform.
The pseudonymous 0xQuit took to Twitter to reveal the details of how user “s27,” who entered into a direct swap trade using Swapkiwi, a peer-to-peer NFT swapping platform, fell victim to a scam.
Apparently, s27 had agreed to swap BAYC #1584 and two Mutant Ape derivatives (#13168 and #13169), cumulatively worth over USD 560,000 given the current floor price, with another user’s BAYC #4424, #5406, and #2007 – only these BAYC NFTs were simply knock-offs.
6/ Well, the hacker used that to his advantage. Here are the apes that s27 received in return: https://t.co/08bubCsCpLhttps://t.co/pIgu3mRGVYhttps://t.co/r3svn1PAqo— quit (👀,🦄) (@0xQuit) April 5, 2022
You'll see that each has the green check added directly to the image. pic.twitter.com/qc6E3bGibg
Swapkiwi does display verified NFTs with a checkmark, but the checkmark appears within the image. Taking advantage of this, the scammer photoshopped fake JPEGs to place a checkmark on them, making them look like verified BAYC NFTs.
“The scammer added these checkmarks to the knock-off NFTs exclusively to make them appear legitimate on swapkiwi,” 0xQuit said, adding:
“Furthermore, there’s no immediately apparent way to click through to view the asset or the asset contract, making it unnecessarily burdensome to verify the assets.”
The incident has some lessons for NFT traders. In the first place, if “it sounds too good to be true, it probably is,” 0xQuit said, noting that it is very unlikely for a user to swap three BAYC NFTs for a BAYC and two mutant apes, which are significantly cheaper than the original collection.
Moreover, NFT traders need to verify everything independently. In other words, assume “everybody is out to get you.”
While Swapkiwi does not have an option to instantly allow traders to view the asset contract, traders can use blockchain explorers like Etherscan to verify assets and make sure they are original.
“This goes for other assets too,” 0xQuit said.” I’ve seen similar scams with tokens, where a scammer will submit a picture with the words “20 WETH” on it in place of 20 WETH.”
Meanwhile, Swapkiwi has said they are working on improvements and pledged to “make the necessary changes so this doesn’t happen again on swapkiwi.”
🚨🚨🚨 Please be careful when swapping. Scammers photoshopped a verification badge into an NFT.— swapkiwi (@swapkiwi) April 5, 2022
Always double check on either opensean or etherscan. We are working on the improvements. 👇🧵 https://t.co/awyW70SyFh
– No, Sberbank Isn’t Selling a ‘Cryptocurrency’ on a DeFi Exchange – Here’s What’s Really Going On
– Scammers Impersonate CoinMarketCap to Sell Fake ‘CMC’ Tokens
– Impostors Make Deep Fake Videos of Ordinary ‘More Believable’ People to Promote Crypto Scams
– Scam Tokens Emerge After ‘Elona’ Musk’s Dispute With Chechen Leader
– Impostors Are Trying to Trick Ukrainian Crypto Donors via Phishing Websites and Fake Donation Addresses
– Here’s How You Can Protect Yourself Against Phishing as Trezor is Attacked
– Web 3 Hackers Are Getting Smarter: Here’s How to Stay Safe