HKCERT issues warnings to NFT collectors to beware of rampant phishing attacks after users being scammed over HK13m by hackers


23rd February 2022 – (Hong Kong) NFT (Non-Fungible Token) has become a popular virtual community in recent days. It was reported that users of a large NFT online trading platform accidentally fell into a phishing attack trap, resulting in the theft of NFT assets, with an estimated loss of more than US$1.7 million (equivalent to more than 13 million Hong Kong dollars). The Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) under the Hong Kong Productivity Council has issued a warning and outlook earlier, calling on users to be more vigilant against increasingly rampant phishing attacks, and predicting that cryptocurrencies and metaverse-related technologies will be the key attacks by hackers this year.

HKCERT stated that the NFT online trading platform had earlier asked users to upgrade the NFTs being sold to new smart contracts for security reasons. Hackers saw the opportunity and disguised as the platform team members to remind users, sending phishing emails including links to malicious websites which hid transaction terms and required users to sign and authorise execution.

Some users accidentally clicked the authorisation link, causing their NFT assets to be transferred away. HKCERT reminds users to be careful to protect encrypted assets and prevent illegal access by hackers, including not to arbitrarily click or open hyperlinks or attachments in emails, text messages or social media links from unknown sources. They should carefully verify all information before signing any transaction and check with official agencies. Users should also review their own NFT authorisation and revoke past authorisations for questionable or uncertain purposes. They should never disclose their recovery phrase for their cryptocurrency wallet.