In Brief:
- The NFT collector lost $2.7 million worth of NFTs in the social engineering attack.
- The list includes BAYC, Mutant NFTs, and Doodle NFTs.
- Victim mistakenly signed transactions that gave access of NFTs to attackers.
On Feb 1, NFT collector Larry Lawliet lost all his NFTs including Bored Ape NFTs from his account in a cyberattack.
The incident seems like a social engineering attack, in which the perpetrator deceived Lawliet through a trick and convinced him to sign fake transactions. After this, attackers got access to his NFTs and transferred them to their own addresses.
Lawliet revealed in a tweet that nearly 13 NFTs have been stolen including 7 Bored Apes, five Mutant Apes, and one Doodle. The estimated price of all stolen NFTs is around $2.7 million as per the floor price.
The attack was initiated by hacking the Discord server of Moschi Mochi NFT collection and posting a phishing post of extra mint. The scam has invited members of the Moschi Mochi community to mint extra NFT from 1,000 NFTs, which holds a $25,000 raffle.
The transactions on the Etherscan show that he was trapped in this scam and contacted fake mint. He sent 0.49 ETH to addresses to mint 14 fake extra NFTs. Lawliet’s transaction is showing multiple “Set Approval” transactions.
This all-set approval transaction has hidden hackers’ crypto wallet addresses that have been set as approved addresses.
Currently, In-app browsers such as Metamask have an interface that when users approve transactions, they are not able to watch which sort of approval they are giving without clicking on the details tab. The victim has mistakenly signed this transaction as a regular blockchain transaction.
After this attack, many BAYC NFT holders suffered large numbers of engineering attacks. The security intellectuals have urged NFT holders to use “burner wallets” to protect their NFTs.
The NFT world is currently facing a large number of cyberattacks such as exploit attacks. Many NFT holders lost their NFTs due to their mistakes or faulty loopholes of platforms. Recently, Opensea users lost their NFTs due to its NFT listing errors.