In October 2022, Halborn discovered a phishing attack targeting NFT owners.  The threat was initially discovered due to the attacker’s use of the RIMOWA x RTFKT collaboration as a pretext to trick users into connecting their wallets.  However, further investigation indicated that over 50 domains are involved in the attack.

With access to users’ accounts, the attacker can create DeFi approvals and drain tokens from these accounts.  In total, the attacker has drained over $377K in Ether as well as many NFTs whose value is difficult to estimate.

Inside the Attack

The attacker has a presence in multiple channels, including Twitter and NFT Stats.  The phish claims that users can get access to a token mint for the limited edition collection before the official public mint.

If a user clicks on the indicated link, they’ll be redirected to the phishing page.  This page includes a Connect Wallet button.  Connecting a wallet triggers a few actions, including:

  1. Attacker Notification: A Discord webhook is used to inform the attacker of the activity, specifying the phishing site used and the connected wallet’s address.
  2. Mint Now Button: A Mint Now button appears, which, if clicked, will check the balance of the connected account and use OpenSea to determine which NFTs it owns.

If the user clicks the Mint Now button, a transaction is generated that creates a DeFi approval for the user’s account for all NFTs that they own.  This will allow the phishing address to transfer all of these NFTs as well as any value held within the user’s account.

After the transaction is created, the user will be prompted to sign it.  The site then submits the transaction to the Ethereum network via Moralis with a hardcoded API key.

This phishing attack has been quite successful with multiple NFTs transferred to the attacker’s account.  

Some examples are visible on NFTScan under the “Received” tab at the following addresses:

After identifying the threat, Halborn notified affected parties.  This included:

  • Informing Discord, rtfkt, and Twitter of the phishing content on their platforms
  • Notifying Hotjar and Moralis that their tools were being used during the attacks
  • Reporting the 50+ phishing domains to the appropriate domain name registrars
  • Contacting Etherscan to have the Ethereum addresses used in the attack labeled as phishing addresses.

Lessons Learned From the Attack

This attack uses phishing tactics and DeFi approvals to steal NFTs and Ether from users.  In general, if an offer — such as access to NFTs before the official mint — seems too good to be true, it probably is.  Before connecting a crypto wallet to a site or making a transaction, make sure to validate that the site is legitimate.

DeFi approvals allow another account to transfer approved tokens to them.  These approvals can easily be abused if the destination account is malicious or compromised by an attacker.  To check if you have outstanding approvals on your accounts, you can use one of the following tools:

Phishing scams and malicious use of DeFi approvals are common in the DeFi space.  Always double-check before you approve a transaction.

Explained: The RTFKT Phishing Campaign (October 2022)
Rob Behnke