The phishing attack on OpenSea, reportedly stole more than 250 NFTs and the attackers took $1.7 million in Ether for selling the stolen NFTs.
OpenSea, one of the largest digital collectible marketplaces, has fallen prey to hackers on Saturday, reporting over 250 non-fungible tokens (NFTs) stolen, including tokens from the famous Bored Ape Yacht Club and Decentraland.
As confirmed by the co-founder and CEO of OpenSea Devin Finzer in a Tweet, the ‘phishing attack’ made $1.7 million in Ether from selling some stolen NFTs.
Importantly, rumors that this was a $200 million hack are false. The attacker has $1.7 million of ETH in his wallet from selling some of the stolen NFTs.
— Devin Finzer (dfinzer.eth) (@dfinzer) February 20, 2022
A few days ago, OpenSea announced an upgrade to a smart contract, where users have to “migrate” their listed NFTs from Ethereum blockchain to a new smart contract. The marketplace set a one-week deadline to delist inactive NFTs on the OpenSea platform.
Interestingly all stolen NFTs were allegedly from users who manually migrated on OpenSea.
However, the marketplace’s CTO Nadav Hollander denied saying that the malicious orders were executed before the migration and are “unlikely” related to OpenSea’s migration flow.
– None of the malicious orders were executed against the new (Wyvern 2.3) contract, indicating that they were signed before the migration and are unlikely to be related to OpenSea’s migration flow.
— Nadav Hollander (@NadavAHollander) February 20, 2022
How easy is it for hackers to steal NFTs? NFT hacks and scams aren’t new, and many collectors have lost their entire NFTs owned.
For example, in March 2021, several user accounts on Nifty Gateway were hacked. However, users got their money, but the NFTs were just lost. The hackers reportedly sold them on another popular marketplace.
Nifty claimed at the time that the affected users didn’t have two-factor authentication turned on and that “access was obtained via valid account credentials.”
Also, there were complaints on deadlinks or digital wallets of merchants that disappeared, leaving collectors to lose hundreds of thousands of dollars worth of NFTs.
These particular incidents, however, show that hackers exploit loose security measures.
Hackers find one of the easiest ways to grab the opportunity by accessing the secret phrase – like a password – that allows users to recover owned digital assets on a blockchain even if they lose access to their wallets. Scammers easily find the phrase if the victim has stored it on their computer.
Data from blockchain analytics firm Chainalysis showed that last year alone, at least $44.2 billion worth of cryptocurrency was sent to the two types of Ethereum smart contracts “associated with NFT marketplaces and collections.”
The report revealed that over $3 million of crypto in NFTs were sent over illicit addresses in 2021.
Users should always be vigilant when receiving requests to sign their wallets online. They must review what is requested and consider if the request is suspicious.
In the case of the OpenSea attack, affected users have signed an order somewhere at some point in time, without realizing the trick used by bad actors.
– All of the malicious orders contain valid signatures from the affected users, indicating that they did sign an order somewhere, at some point in time. However, none of these orders were broadcasted to OpenSea at the time of signing.
— Nadav Hollander (@NadavAHollander) February 20, 2022
To protect NFTs and avoid getting hacked or scammed –
Experts say it is not safe to hold cryptos such as Bitcoin, Litecoin, and NFT assets in one wallet. They suggest keeping valuable assets such as NFTs in a hardware wallet, basically a two-factor authentication.
By doing so, the private keys get disconnected from the internet and offline, so tricksters can’t access them.
Few hardware wallets include Ledger Nano X, Trezor Model One, and Grid Plus Lattice 1.
People often share screens of NFTs they hold or their wallet details while discussing issues online or working collaboratively.
This is another loophole where scammers barge in, impersonating themselves as NFT creators or others to gain trust. They can manipulate users to share their secret recovery phrase – backup to all crypto-assets managed, thus gaining full access to their wallets.
One such incident was reported by an NFT collector, where the user lost around 250 ETH due to a “socially manipulated” scam, requesting the user to share screens with the perpetrators.
I was scammed / socially manipulated / hacked on @Discord and @OpenSea and lost three @BoredApeYC, four @0n1Force, and three @worldofwomennft totally roughly 250 eth in value by getting tricked into exposing the Metamask QR Code in the Chrome Browser Extension. I’ve never felt pic.twitter.com/aiaENpwLVP
— Sohrob.eth Farudi 🍌 ⭕️ (@sohrobf) August 25, 2021
The hackers impersonated themselves to be the founders of the famous Bored Ape Yacht Club.
Fake minting sites are abundant on Twitter and Discord and look identical to the real ones. When the user tries to mint an NFT from those bogus sites, it compromises wallet security and wipes off assets. Legit-looking accounts or people share such links via chats.
Last year, few NFT owners complained about expensive NFTs vanishing from links, and no traces of purchasing history were found. These are called “deadlinks.”
“Having a system managed with professional validators makes it feasible to protect consumers fully,” Tom Anderson, CEO of NFTs and blockchain security firm Devvio, told FX Empire.
“On DevvX – the blockchain platform, we manage the assets directly in addition to the blockchain, so there is no risk that an asset will not be available after it is purchased,” he said.
Fake notifications impersonating popular marketplaces like OpenSea, emails having @gmail.com or Hotmail address, claiming to be from NFT marketplace, creating identical copies of popular collectibles are common potholes dug by hackers for victims to fall.
Be careful out there apes, looks like a legit offer but the link tries to connect your wallet. Always go through OpenSea and block teamopensea@gmail.com pic.twitter.com/M5TFxT7i0z
— Javier Lovato 🍌 (@JavierLovato127) September 15, 2021
One must be cautious of the links and look for any suspicious activities. Above all, users should never share or store the secret phrase or recovery key on their computer.
NFT sales skyrocketed in 2021 and present colossal upside potential in the coming future for digital creators. However, this new space is open for scammers alike. That said, taking appropriate precautions to protect digital artworks and assets will assure users are not in the hands of bad actors.
Sujha Sundararajan is a writer-journalist with 7+ years of experience in Blockchain, Cryptocurrency and in general, FinTech news reporting. Her articles have featured in multiple journals such as CoinDesk, Protos, Bitcoin Magazine, CCN, Asia Blockchain Review, BeInCrypto and EconoTimes to name a few. She holds a Master’s in Journalism from the Indian Institute of Journalism and New Media and is also an accomplished Indian classical singer.