We’ve been told for years that having no laws and no regulations was a good thing, and that access equals ownership. So if these people have access, therefore have ownership, how could they steal what they own? Perhaps lessons like this will teach cryptobros why we have laws and regulations around money and other property, if they’re capable of learning that and willing to do so.
Since the email addresses stolen in the incident were also shared with an unauthorized external party, Hardman urged potentially affected users to be alert for phishing attempts impersonating OpenSea. “They all have valid signatures from the people who lost NFTs so anyone claiming they didn’t get phished but lost NFTs is sadly wrong….” Signing transactions without paying attention gives others permission to transfer ownership of your digital assets. Requests from the exchange platform excepted, all other transaction requests should be rejected.
Phishing Attack Tricks 32 OpenSea Users Out of 254 NFTs
He began his career in video game journalism as a freelancer in 2001 for Tendobox.com. Asif is a CPA and was formerly an investment adviser representative. After much success in his own personal investments, he retired from his day job in financial services and is currently focused on new private investments. His favorite PC game of all time is Duke Nukem 3D, and he is an unapologetic fan of most things Nintendo. Asif first frequented the Shack when it was sCary’s Shugashack to find all things Quake. When he is not immersed in investments or gaming he is a purveyor of fine electronic music.
The OpenSea hack was made possible by a phishing attack in which users signed orders without validating them. OpenSea’s recent user interface issue caused $1.8M in NFTs to be lost, which OpenSea reimbursed. Users who had transferred their NFTs to new wallets without canceling their old listings saw their NFTs sold for the price of the old listings. OpenSea claimed that the occurrence was “not an exploit or a bug” but rather an issue that arises because of the nature of the blockchain. On Friday, Feb. 25, 2021, all listings still on old smart contracts will expire.
The Threatpost editorial team does not participate in the writing or editing of Sponsored Content. Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics.
To rephrase, “you only need to have a few seconds of stupidity to fall for a phishing attack”. It has everything to do with stupidity, if even for a few seconds. You only need to be having an off day for the wrong few seconds to fall for a phishing attack. Their money was lost the moment they traded it for a blockchain entry which says they’re now the proud owner of a URL to a jpg of a dumb ape.
The link embedded into the phony email pointed to a phishing website where victims were prompted to sign a transaction, supposedly concerning the migration. “All of the malicious orders contain valid signatures from the affected users, indicating that they did sign an order somewhere, at some point in time,” Hollander said. “However, none of these orders were broadcasted to OpenSea at the time of signing.” Originally, it was believed that 32 users had their NFTs stolen after falling prey to the phishing attack.
Since the user was tricked into signing the order and the attacker also signed it, both the maker and taker contracts are valid. The OpenSea contract then calls the proxy contracts that hold the approvals for each of these tokens. According to atweet Saturdayby Devin Finzer, co-founder and chief executive of OpenSea, the thefts involved a phishing attack, as affected users signed a malicious payload from an attacker. The wallet connected to the phishing attack held over two million dollars after some of the stolen NFTs were sold, CPR noted, although, at the time of writing, just over $8,000 is left in the account. In total, there have been over 350 transactions from this wallet address, including deposits and withdrawals. This isn’t the first time the crypto space has been victimized by theft and hacking, with Crypto.com getting hit just last month.
It’s like buying the Brooklyn Bridge – the moment you made a mistake was when you gave your money to the con man, not when a mugger stole your fake “deed”. In other recent NFT news, Fortinet researchers have warned that cyberattackers are jumping on the NFT hype to spread BitRAT malware. Cybersecurity expert Dan Guido also highlighted the inherent security issues with wallets and their exposure to phishing campaigns. It has now been over 22 hours since the last fraudulent transaction made in the attacker’s wallet. The contract migration timeline was set from February 18 to February 25. That web3 and NFT holders are being targeted on OpenSea is not surprising given the surge in popularity of NFTs in general and also OpenSea itself.
These proxy contracts use delegatecall to call the attacker’s contract, which is the target of the transfer. With delegatecall, the attacker’s contract can perform transactions on behalf of these proxy contracts. After stealing the NFTs, the unknown hacker then sold some but also returned some to their rightful owners, along with some Ethereum raised from the theft. As of the last reports, the hacker held $1.7 million in their Ethereum wallet along with three tokens from the Bored Ape Yacht Club, two Cool Cats, one Doodle and one Azuki. Check Point researchers state that the “sign” button (as in ‘sign contract’) triggered a function called “atomicMatch_.” This type of software can steal all victim-owned NFTs in a single transaction. Persons who opened the lookalike email were sent to a fraudulent domain.
OpenSea Users Lose Over $2 Million in NFTs during Phishing Attack
Content strives to be of the highest quality, objective and non-commercial. Even with so few victims, however, the monetary impact of this campaign was extraordinary. Hackers, it turned out, had used some clever social engineering to phish unwitting investors. According to a tweeton Monday by OpenSea, the attack appears to have stopped, with the most recent transaction occurring on Sunday. The Ascent is a Motley Fool service that rates and reviews essential products for your everyday money matters.
Antivirus software can’t stop phishing attacks, but it will protect you against known viruses and malware. This is not the first time OpenSea’s platform has been hit by criminals. In January, hackers exploited a flaw in the platform’s code to buy NFTs for significantly less than their market value — profiting by around $1.8 million. It looks like the hacker duplicated an email sent to OpenSea users about the upgrade and directed them to a fake webpage. There, they were asked to sign what looked like a legitimate contract to migrate their NFT over to the new system. Given that users were expecting to receive an email from OpenSea about the migration, they were less likely to notice the spoof.
Within hours after OpenSea’s upgrade announcement, reports across multiple sources emerged about an ongoing attack that targeted the soon-to-be-delisted NFTs. Approximately 250 tokens were stolen from 17 affected users in the attack. OpenSea originally thought 32 people had been hit, but later amended that 15 people had interacted with the phisher but not lost NFTs.
Because blockchain transactions are irreversible, the threat of one wrong click is arguably even greater than in traditional IT attacks. As a result, the platform advised users to remain cautious and avoid following any links that don’t belong to the opensea.io domain. The transaction instead allowed the hackers to pass the NFT ownership to themselves. OpenSea is one of the world’s largest peer-to-peer NFT marketplaces (valued at $13.3 billion), which also enables trading rare digital items and crypto collectibles.
Users were then advised to be wary of all communications from OpenSea in addition to revoking all permissions for migrating to the new smart contract. Most people in the NFT space are only using hot wallets for NFT storage, making it an absolute necessity for individuals to recognize phishing red flags. The increasing value of NFTs provides insight into why this phisher managed to bring in $1.7 million in Etherium from just 17 victims’ assets. “General usability continues to be a challenge and can contribute to confusion. Understanding what it is you are signing digitally as a user is not always obvious,” says Matt Bailey, VP of Engineering at Club NFT. Feb 23 at 2 PM ET for a LIVE roundtable discussion “The Secret to Keeping Secrets,” sponsored by Keeper Security, focused on how to locate and lock down your organization’s most sensitive data.
OpenSea planned upgrade stalls as phishing attack targets NFT migration
The company, one of the largest NFT marketplaces, said that 17 users had NFTs stolen on Saturday. In the past, OpenSea users have been targeted by threat actorsimpersonating fake support staffand by aphishing attackthat left more than a dozen users without hundreds of NFTs worth roughly $2 million. I apologize if someone would be upset by this, but I never had a shred of pity for people who fall for phishing attacks. Scam artists have taken advantage of a contract migration initiative to swindle NFTs out of users in an opportunistic phishing attack. OpenSea announced a new smart contract upgrade with a one-week deadline Friday. Notably, phishing attacks have been a common attack vector in previous theft of NFTs.
OpenSea’s damage control
The domain prompted users to sign a seemingly legitimate transaction, which would ostensibly migrate their NFTs from the old contract to the new contract. Quickly, a malicious actor copied and re-sent OpenSea’s email blast notifying users. The link embedded into the fraudulent email directed victims to a phishing website, where they were prompted to sign a transaction, supposedly regarding the migration. It still isn’t clear exactly how the attackers were able to carry out the scam.
According to Check Point, the hacker also executed a dry run on Jan. 21 to verify that the attack would work as intended. Report shows wash trading and money laundering are also increasing in the NFT market. Many or all of the products here are from our partners that compensate us.
One Twitter thread suggests those targeted in the phishing campaign may have signed a partial agreement that allowed the attacker to transfer the NFTs without any Ethereum changing hands. Linking to the thread, Finzer said it presented a scenario that was “consistent with our current internal understanding” of the situation. This delegatecall executes a function in the attacker’s contract that loops through a list of the addresses and tokens for which the user has created approvals. With the context of the proxy contract and these preexisting approvals, the attacker can steal all of these tokens from the phished user’s account.
Either way, tonight’s incident highlights the challenges cryptocurrency markets and NFT marketplaces face as new entrants like the NYSE and GameStop prepare to enter the fight. As noted by The Verge, the attack likely took advantage of an aspect of the Wyvern Protocol. Many Web3 platforms, including OpenSea, use the open-source standard to underpin their contracts.