November 1st, 2022
In October 2022, Halborn discovered a phishing attack targeting NFT owners. The threat was initially discovered due to the attacker’s use of the RIMOWA x RTFKT collaboration as a pretext to trick users into connecting their wallets. However, further investigation indicated that over 50 domains are involved in the attack.
With access to users’ accounts, the attacker can create DeFi approvals and drain tokens from these accounts. In total, the attacker has drained over $377K in Ether as well as many NFTs whose value is difficult to estimate.
The attacker has a presence in multiple channels, including Twitter and NFT Stats. The phish claims that users can get access to a token mint for the limited edition collection before the official public mint.
If a user clicks on the indicated link, they’ll be redirected to the phishing page. This page includes a Connect Wallet button. Connecting a wallet triggers a few actions, including:
If the user clicks the Mint Now button, a transaction is generated that creates a DeFi approval for the user’s account for all NFTs that they own. This will allow the phishing address to transfer all of these NFTs as well as any value held within the user’s account.
After the transaction is created, the user will be prompted to sign it. The site then submits the transaction to the Ethereum network via Moralis with a hardcoded API key.
This phishing attack has been quite successful with multiple NFTs transferred to the attacker’s account.
Some examples are visible on NFTScan under the “Received” tab at the following addresses:
After identifying the threat, Halborn notified affected parties. This included:
This attack uses phishing tactics and DeFi approvals to steal NFTs and Ether from users. In general, if an offer — such as access to NFTs before the official mint — seems too good to be true, it probably is. Before connecting a crypto wallet to a site or making a transaction, make sure to validate that the site is legitimate.
DeFi approvals allow another account to transfer approved tokens to them. These approvals can easily be abused if the destination account is malicious or compromised by an attacker. To check if you have outstanding approvals on your accounts, you can use one of the following tools:
Phishing scams and malicious use of DeFi approvals are common in the DeFi space. Always double-check before you approve a transaction.