In September 2021, one victim tweeted that their assets had been possibly stolen after interacting with maliciously-airdropped NFTs. The prospect of scammers being able to steal victims’ assets by sending them malicious NFTs caused concern across the NFT community. After analyzing the victim’s blockchain activity, however, analysts suggested that it was more likely that the true culprit was a typical phishing link.
This vulnerability allowed NFTs to trigger a malicious pop-up upon interaction, causing the victim to inadvertently give scammers access to other NFTs stored in their wallet. This scam – facilitated through a vulnerability on OpenSea – was patched before its exploitation became mainstream.
Trojan NFTs indicate the wider potential for NFTs to contain potentially malicious data or commands. In January 2022, Nick Bax from Convex Labs revealed a proof-of-concept NFT that can log a viewer’s IP address by encoding additional metadata into its animation URL21. This is one (arguably harmless) demonstration of how an NFT is not only limited to simple JPEGs – and can potentially facilitate malicious intent.
https://www.artnews.com/art-news/news/stolen-nft-scams-heist-100m-elliptic-1234637363/