Cryptocurrency is becoming more mainstream and the whole world is boarding the NFT train. According to Chainalysis, the total value of the NFT market has now surpassed $41 billion, with celebrities and major companies jumping on the trend. However, traders and investors have to be extraordinarily careful due to the high rise of email phishing, hacks and other forms of crypto scams.
Over the weekend, NFT holders across the board were in a state of turbulence as reports emerged that hackers were stealing NFTs and flipping them to gain profit on OpenSea – the world’s largest NFT marketplace. In response, OpenSea uploaded a statement on its website and on Twitter.
“We are actively investigating rumours of an exploit associated with OpenSea related smart contracts. This appears to be a phishing attack originating outside of OpenSea’s website. Do not click links outside of opensea.io.”
On Saturday, February 19, OpenSea had called on users to start migrating their listings as part of a planned upgrade of its existing smart contract to a new smart contract. Listings falling outside the deadline would expire, requiring users to list their NFTs afresh.
Experts believe the attacker planned to take advantage of this window frame to carry out the exploit, as users pay little attention to security when trying to beat deadlines.
According to developers at Isotile, the attacker seems to have planned the exploit 28 days earlier in anticipation that he would collect as many signatures as possible. After gathering enough signatures just in time for the migration, the attacker “executes the smart contract function to steal the NFTs before their listings expire.” He was able to do this because he had his victims’ signatures stored on his server.
The attacker targeted an estimated 32 collectors on the top marketplace and drained their Ethereum wallets. On-chain data posted by PeckShield shows that they stole over 250 pieces from high-value collections like Bored Ape Yacht Club, Doodles, Azuki, and NFT Worlds.
Based on the floor prices for the collections, Crypto Briefing estimated the total haul to be worth over 1,000 Ethereum, or $3 million. The attacker’s wallet currently contains 641 Ethereum worth around $1.7 million, as well as a selection of the stolen NFTs.
On-chain data shows that they deployed a smart contract on January 22 that used a call to OpenSea’s contract. It’s thought that they tricked users into signing a transaction that transferred their NFTs to the hacker’s wallet, likely by sending out an email that replicated the ones OpenSea sends out. Once they had duped a sufficient number of NFT collectors into signing the malicious transaction, they executed the attack to drain their wallets.
This unpleasant occurrence once again brings to fore one of the concerns of Web3– self-custody risks. The incident exposes the risks of using Web3, where signing any malicious Ethereum transaction can have disastrous consequences. For all of the benefits of self-custody wallets and decentralisation, such attacks raise questions about whether crypto and NFTs are truly ready for mass adoption.
For collectors, NFT hacks like this one are a reminder of the importance of taking caution at all times in Web3, especially when it comes to checking emails and signing transactions.
The OpenSea platform has been hit with a string of negative incidents in the past few months. A recent UI bug led to over $1.1 million worth of NFTs bought for very low prices. The platform has also had some security issues. Probably the most serious of them all was the theft of $1.3 million worth of NFTs due to a bug.
Bored Ape NFTs have also been stolen, which led to the marketplace freezing transactions, which drew a lot of criticism from the crypto community. As NFTs have attracted mainstream interest and their prices have soared, hackers have increasingly turned to the space to target collectors.
The CEO of OpenSea – Kevin Finzer has come out to address the issue. Finzer was clear about the circumstances surrounding the attack.
He says in a tweet, “As far as we can tell, this is a phishing attack. We don’t believe it’s connected to the OpenSea website. It appears 32 users thus far have signed a malicious payload from an attacker, and some of their NFTs were stolen”.
Finzer refuted claims that this hack amounted to $200 million in lost NFTs. He advised those who want to protect themselves from this attack to ‘un-approve’ access to their NFTs on OpenSea.
Finzer also advised users to ensure that they are on opensea.io when signing messages. He further said that OpenSea is working with users whose items were stolen to narrow down a set of common websites that they visited that could have been responsible for the malicious signatures.
OpenSea user activity is largely uncensored which makes it harder for the firm to control its activities. The only measure to avert further losses is for users to stay vigilant and abstain from signing or clicking any links outside what OpenSea has set because “ a single click makes a difference”.
Join the community now!