Keeping Assets on Mobile: Can No-Click Exploits Take NFT and Tokens

• Rumors appeared during the New York NFT meetup that it was possible to exploit OpenSea accounts through open WiFi.
• NFT Apes and Punks still among hot collections, targets of theft.

Rumors are circling of a new potential exploit using public WiFi or even Blue Tooth communication. Valuable NFT could be taken from users, especially if logged onto OpenSea and having an open wallet. 

The New York NFT conference is gathering thousands of collectors and enthusiasts, but several warnings were issued to think about wallet security on mobile. 

If you're out at NFT NYC be careful. Turn your Bluetooth/nfc/etc off. Don't scan shit. Lock your screen with a passcode… Probably clear off anything crypto and restore later… Don't want your phone getting stolen and you lose everything. Be safe.

— Brock McBlockchain (@BrockMcBreadcat) June 20, 2022

There are still no reports of theft or the exact mechanism of the exploit. Some of the attempts to steal may be disguised as private solicitations, similar to those spread from chat channels. 

NFT Top Collections Still Hold High Value

New users often access crypto assets from mobile and may have lowered defenses when it comes to looses. Unlocked wallets, 2D scanned codes or even attempts through public NFT can lead to operations with the tokens. However, it is unclear if the NFT within the wallet can be moved with a no-click exploit. 

The rumors were spread in relation to the annual NFT event in New York, runnin from June 21 to June 23. The event brings together NFT collections and founders, as well as NFT owners and buyers. The NFT phenomenon still goes strong despite signs of some slowdown, with Punks and Apes still holding top positions and having a presence on live events and social media. 

NFT resales are still active and scammers will attack precisely those top collections. In the past, Punks, Apes, Asukis, Art Blocks and other items have been stolen and quickly resold. Usually, in-game collections sold on separate marketplaces remain safer, as thieves target a resale through OpenSea.

Top collections also get exploited through copycat websites. Those sites offer mints, thus demanding the user to sign a transaction. This will give permission to a smart contract to empty the wallet. 

#PeckShieldAlert PeckShield has detected rrbayc[.]art/ is a phishing site. @RR_BAYC @ryder_ripps Do *NOT* fall prey to it!
Seems like the real RR/BAYC got delisted off @OpenSea pic.twitter.com/Qzmc3GuVzr

— PeckShieldAlert (@PeckShieldAlert) June 22, 2022

Copycat collections and mints have been offered for Apes, as well as for the recently popular Goblintown. The best approach is to use official mints or verified OpenSea resale offers.