Hackers use NFTs to steal cryptocurrency
2 min readThe rise in popularity of non-fungible tokens (NFT) is also increasing industry-related scams and attacks.
According to the Kommersant portal, cybersecurity firm ESET discovered that malware for illegal cryptocurrency mining or cryptocurrency wallet theft began to spread via NFT tokens and mobile apps.
“In the case of distribution via NFT, the issue is that the player receives a token with registration, for example, of a superpower or a weapon in which a virus is embedded,” explained ESET Threat Intelligence head Alexander Pirozhkov. .
Russia leads in attacks of the type
Also according to Pirozhkov, at the end of 2021, Russia continued to lead in terms of victims of cryptocurrency-related attacks. The country accounted for 11.2% of those affected by these attacks, according to ESET.
Most activity took place between September and December 2021, with the country accounting for 12.3% of all global attacks.
However, it is difficult to assess the financial losses of citizens. That’s because in most cases people just don’t know that someone has gained access to their funds.
Specifically regarding NFT-related attacks, Exantech chief Denis Voskvitsov highlighted that these assets are often organized in such a way that the content is stored outside the blockchain.
So an attacker can mint tokens, which at the time of sale are common images. And, after selling on the attacker’s server, they will be altered, for example, to exploit vulnerabilities in digital wallets.
OpenSea vulnerability
In October 2021, CheckPoint discovered a vulnerability in the popular OpenSea NFTs marketplace. An attacker could use a special SVG image to inject arbitrary JavaScript code into the storage.opensea.com subdomain.
A hacker exploited the vulnerability and sent the victim an NFT with an exploit (a program that implements an attack using vulnerabilities). The program was then able to access your Metamask wallet.
Thus, when viewing the NFT, the victim opened a transaction confirmation window. Meanwhile, the wallet interface displayed the OpenSea domain and not a fake website:
“If the victim confirmed the transaction, all funds were transferred to the hacker’s address,” Voskvitsov said.
