NFT Scams Are Back - An Investor Has Lost 6 BAYC And 40 Beanz To A Scammer On Blur

NFT Scams Are Back – An Investor Has Lost 6 BAYC And 40 Beanz To A Scammer On Blur

Updated: 03 July 2024

Disclosure

Don’t invest unless prepared to lose all the money you invest. This is a high-risk investment, you shouldn’t expect to be protected if something goes wrong.

Hackers and scammers appear relentless in attacking the non-fungible token investors despite them facing massive losses from the recent bear market, which left their portfolios down over 80% in the past two years. In a recent attack, a non-fungible token collector has just lost digital items worth more than $200,000 to a scammer on Blur.

An NFT Investor Loses $240K In A Hack

In a July 3 blog post, Quit, an on-chain crypto sleuth, Solidity dev and auditor, confirmed that a non-fungible token collector has just lost 6 Bored Ape Yacht Club, 40 Beanz, and 3 Azuki Elementals NFT collections after bulk listing them for one wei each to a scammer on Blur.

A user just lost 6 BAYC, 40 Beanz, and 3 elementals by bulk listing them for 1 wei each to a scammer on Blur.

See my previous thread on the mechanics: https://t.co/ihWKpshaIT pic.twitter.com/3sLzMES59A

— Quit (@0xQuit) July 3, 2024

Bored Ape Yacht Club is a non-fungible token collection from the digital asset firm Yuga Labs, while Beanz and Azuki Elementals are non-fungible token collections from the digital asset firm Chiru Labs. The value of the stolen NFT collection is estimated to reach nearly $240,000.

Among the non-fungible token collections stolen include the Bored Ape Yacht Club #4008, Bored Ape Yacht Club #4144, Bored Ape Yacht Club #9141, Bored Ape Yacht Club #8179, Bored Ape Yacht Club #439 and Bored Ape Yacht Club #90. This user lost his portfolio via a private listing on the Blur NFT marketplace.

How Did This User Lose His NFTs?

Typically, Blur doesn’t offer private listings. Any listing users create is open to be fulfilled by anybody, including scammers. In most cases, if a scammer plans to phish an investor by creating a Blur listing for 0 ETH, he would immediately get front run by arb bots willing to pay most of the value of the NFT to block validators to land the purchase.

Last year, Pink Drainer learned how to hack into enabling private sales on Blur and walked away with thousands of dollars worth of digital items. In most cases, scammers have been caught phishing signatures to list items above the floor, with their own address set as the royalty recipient with 100% royalties.

Shockingly, Pink Drainer took this hacking idea further and set a royalty recipient with 100% royalties. But instead of setting that recipient to himself, he put it into a contract. That contract reverts for any transaction in which Pink is not the origin.

Even though the NFT collection is publicly listed for 0 ETH, Pink is the only one who can fulfil it. If somebody else tries, the royalty payment reverts, meaning the entire transaction reverts. This effectively makes it a private transaction. The subject user likely lost his NFTs from a similar scam trick.