An unfortunate user has been drained of their non-fungible tokens, worth hundreds of thousands of dollars, in a sophisticated phishing scam on the Blur marketplace.
The loss, reported by 0xQuit on X, formerly Twitter, involved six Bored Ape Yacht Club NFTs, 40 Beanz, and three Elementals, all listed at one wei each — effectively zero.
Based on current floor prices for each asset, the total sum amounts to roughly $239,676. Wei is the smallest unit of ether on the Ethereum blockchain.
The scam was orchestrated by an unknown entity, who exploited a loophole in Blur’s listing system to enable private sales, 0xQuit, a Solidity developer and auditor, said in a separate post.
Despite Blur’s standard policy of not supporting private listings, the scammer managed to manipulate the royalty settings of the NFTs, bypassing the public accessibility requirement.
Typically, if a scammer tricks someone into listing an NFT for nearly nothing, automated bots quickly buy it by paying higher fees, leaving the scammer empty-handed.
To counter this, scammers are now tricking people into listing NFTs at high prices, with all proceeds going to the scammer’s address, 0xQuit said.
Scammers do this by setting up a rule that cancels any transaction if it’s not them trying to buy it, making the sale effectively private.
The tactic ensures that only the scammer can fulfill the transaction, preventing others from intercepting the low-priced listings, 0xQuit said.
Quit further elaborated that the scam involved getting the victim to sign something on a phishing website, typically through an impersonator account on Twitter advertising a free mint or airdrop checker.
NFT-related scams have become a constant headache for marketplaces and users following a major surge in popularity for the assets in late 2020 and early 2021.
In rare cases, that has led authorities to hunt down those responsible for making off with millions.
Last month, three UK nationals were charged with orchestrating a $3 million scam in 2021 related to the “Evolved Apes” NFT collection.
Blur did not immediately return a request for comment.
Read the full article here