NFT collector Larry Lawliet was the victim of an alleged social engineering attack that resulted in the loss of seven costly Bored Apes and a number of other non-fungible tokens (NFTs).
The hacker seemed to have duped Lawliet into signing bogus transactions that gave them access to his NFTs, and through said access, the hacker was able to enrich their wallet with the NFTs transferred.
Lawliet posted on Twitter that the hacker had stolen 13 of his NFTs, including seven Bored Apes, five Mutant Apes, and one Doodle. Based on the floor price of the NFTs stolen from Lawliet’s wallet, his complete losses from the attack reach the sum of $2.7 million.
I lost all my apes and mutants just now, any one bought it??? pls touch me! pic.twitter.com/AN5IMt2ntu
— larrylawliet.eth (@iloveponzi) January 31, 2022
The issues of Larry Lawliet began when an attacker who is presumably the same individual gained control of yet another NFT collection named Moschi Mochi’s Discord server and mentioned another mint through a bogus statement. Members of the Moschi Mochi community were invited to take part in an extra mint of 1,000 NFTs for a shot to earn a raffle of over $25,000.
Lawliet communicated with the bogus mint and sent 0.49 Ethereum (ETH) in return for 14 of the scam NFTs, according to his wallet address on Etherscan. Lawliet’s transaction data indicates a lot of “set approval” transactions just after the transfer.
The hacker’s “0xD27” address was set as an approved address in all of these set approval transactions. When verifying these transactions in his own wallet, Lawliet was duped into using the “setApprovalForAll” method.
The fact that when someone confirms a blockchain transaction using an in-app browser like MetaMask, it’s not always evident what permissions they’re providing to the website is crucial. In this instance, the victim mistook the transactions for routine ones, when in reality he was literally handing his NFTs to the hacker.
However, MetaMask has a function that allows users to view the true extent of the transactions prior to their execution. This stage is selecting the “details” tab, which provides information about the transaction, including critical details such as the addresses that have been approved. Traders may not always verify this amid the frenzy for an NFT mint.
The setApprovalForAll contract call permitted the hacker to execute the “transferFrom” contract call, allowing them to move all of the victim’s Bored Apes to their own wallet. A call is a programming construct that enables a user to run the code of another contract, which in this scenario constitutes the means of transferring NFTs from the target to the perpetrator.
After gaining possession of the victim’s NFTs, the attacker began transferring them to a separate wallet. The hacker was able to steal the Bored Apes as well as other NFTs such as Mutant Apes and Doodles using this approach.
Social engineering assaults targeted at stealing valuable NFTs continue to target holders of prominent NFT collections like BAYC. The collection has a floor price of over 118 Ethereum (ETH), equivalent to $320,000 at present.
In the wake of occurrences like this, security specialists recommend using “burner wallets,” or addresses with only a little amount of money to meet gas costs. As a result, if the transaction is a phishing scam, the victim’s losses will be greatly reduced.
Validating transaction data before authorizing could also be a good precaution. Approvals should only be given to “trustworthy contracts” with long transaction history, according to Tal Be’ery.
2/ 0xd27… is not a contract, but a regular address ("EOA") 🚨
first active a minute before 🚨
Normal approves should go to trustworthy contracts and usually with a relatively long historyhttps://t.co/3iIBhoMBGo pic.twitter.com/nnAJEPp8bL— Tal Be'ery (@TalBeerySec) February 1, 2022
Web wallets, like as MetaMask, display transaction data and might be invaluable as a means for phishing attacks detection.