As non-fungible tokens (NFTs) become more popular, bad actors who are constantly trying to exploit users within the space have become more active. Now, a new hack involving a feature in the OpenSea NFT marketplace threatens NFT holders with phishing websites.

In an announcement, anti-theft project Harpie warned NFT users about a new hack involving gasless sales on the OpenSea platform. According to Harpie, hackers managed to steal millions of digital assets by exploiting the feature.

When users want to make gasless sales within the OpenSea platform, they have to agree to a signature request with an unreadable message. With this feature, users can also allow the creation of private auctions with unreadable signatures.

For this reason, phishing sites use this feature to ask their victims to sign one of these unreadable messages. According to Harpie, signatures are often a required step for logging in and accessing a website.

However, the login messages are actually signature requests to make a private sale of the victim’s NFTs to the scammer for 0 ether.

pointers down

. If signed, the NFTs will be sent to the hacker’s wallet address.

Related: Projects would rather hack than pay rewards, Web3 developer claims

Aside from this scam, blockchain security firm CertiK recently issued a warning to the crypto community about what they described as “ice phishing.” With this exploit, scammers trick Web3 users into signing permissions that allow attackers to spend their tokens. CertiK noted that the scam is a significant threat and is unique to the Web3 world.

Back on December 17, an analyst brought up how a scammer used Seaport’s gas-free signature feature to steal 14 Bored Ape NFTs. After extensive social engineering, the hacker directed the victim to a fake NFT platform before asking its owner to sign a contract. This was followed by the victim’s wallet running out.