Breakdown of the Case
Oulahya is alleged to have purloined four NFTs from the victim’s OpenSea portfolio. These were sourced from the Bored Ape Yacht Club, Meebit, Bored Ape Kennel Club, and Crypto Dad collections, respectively. In addition, the accused also stole cryptocurrencies from the compromised digital wallet of the Manhattan victim. The charges note that the victim initially shelled out approximately $448,923 to procure these digital assets.
Attorney Damian Williams remarked in the statement, “As stated, Soufiane Oulahyane leveraged a prevalent cybercrime strategy to pilfer the victim’s cryptocurrencies and NFTs. ‘Spoofing’ is a long-standing tactic in the criminal arsenal, and Oulahyane repurposed this tool for exploitation in the nascent field of crypto.”
The indictment, drawn up by the US Department of Justice (DoJ) and the Federal Bureau of Investigation (FBI), maintains that Oulahyane employed paid advertisement on a high-traffic search engine to lure the victim to the fraudulent OpenSea website.
Upon entering their seed phrase into the spoofed site, the victim inadvertently sent it to an email controlled by Oulahyane, who swiftly accessed the victim’s wallet and transferred the NFTs and cryptocurrencies into his possession. Prosecutors have yet to disclose the identity of the victim or the search engine used for the misleading advertisement.
Increasing Trend of Cyber Attacks
Spoofing, a manipulation method employed by cybercriminals, is part of a broader range of social engineering strategies. These often involve baiting potential victims into clicking on malicious links, exposing passwords, downloading dubious attachments, and more.
In April 2022, a Bored Ape Yacht Club (BAYC) owner was swindled out of BAYC #1584, Meebit #13168, and Meebit #13169 — a combined value of $570,000 — in a trade on the Swap Kiwi platform. The fraudster capitalized on feeble verification and anti-spoofing controls in the system to fabricate counterfeit BAYC NFTs, which were, in essence, merely doctored JPEGs.
In a separate incident in October 2022, the BNB Chain was compromised in a security breach, resulting in the loss of millions of dollars in cryptocurrencies. Despite ongoing freeze, recovery, and normalization processes, the network suffered an additional loss of 60 ETH due to a subsequent spoofing attack.