In a complex phishing scam on the Blur market, an unfortunate user has been drained of NFTs worth hundreds of thousands of dollars. The loss, reported by 0xQuit on X (formerly known as Twitter), involved six Bored Ape Yacht Club NFTs, 40 Beanz, and three Elementals, each listed for one wei, which is essentially zero. Based on the current floor prices of each asset, the total amount is approximately $239,676. Wei is the smallest unit of Ether on the Ethereum blockchain.
According to 0xQuit, a Solidity developer and auditor, in another post, this scam was orchestrated by an unknown entity, which took advantage of a vulnerability in the private sales feature of the Blur listing system. Despite Blur’s standard policy of not supporting private listings, the scammer managed to bypass the public accessibility requirement and manipulate the NFTs’ royalty settings.
Typically, if a scammer tricks someone into listing their NFT for free, automated bots quickly purchase it by paying a higher fee, leaving the scammer empty-handed. To counter this, the scammer is now enticing people to list the NFTs at a high price, with all proceeds flowing into the scammer’s address.
The scammer achieves this by implementing a rule that cancels any transaction if it is not their attempt to buy, effectively making the transaction private. According to 0xQuit, this strategy ensures that only the scammer can complete the transaction, preventing others from intercepting low-priced listings.
Quit further explains that the scam involves luring victims to sign up on phishing websites, often advertised by impersonator accounts on Twitter as free mints or airdrop checkers.
Since the surge in popularity of NFT assets in late 2020 and early 2021, NFT-related scams have been a headache for the market and users. In rare cases, this has led authorities to pursue individuals who fled with millions of dollars.
Last month, three British nationals were charged with orchestrating a $3 million scam related to the “Evolution Ape” NFT series in 2021.
Blur did not immediately respond to requests for comment.
