Saturday, December 2, 2023

Join the club

top

OpenSea Phishing Attack

tl;dr Summary: OpenSea was recently the victim of a phishing attack which compromised $1.7 million of NFT assets. How did this happen?

At the core of all blockchain technology is the promise of transparent, immutable, and unhackable data storage. This promise has attracted millions of web developers, computer programmers and creators alike to explore the capabilities of the blockchain. However, the congregation of users actively participating on Web3 platforms where billions of dollars in value are exchanged daily in the form of cryptocurrency and NFT assets has also attracted many bad actors. In 2021, there were over 20 incidents where a hacker had stolen more than $10 million in value from a cryptocurrency exchange or project. While these attacks are rare compared to the 1.25 million transactions occurring daily on Ethereum, they inflict financial distress and mental anguish to those affected and leave the crypto community at large feeling demoralized. 

The latest of these attacks occurred on February 19, 2022 when prominent NFT marketplace OpenSea reported on Twitter that there were rumors of an exploit on their platform. Initial indications suggested that the exploit was a phishing attack, which is the practice of sending fraudulent communications that appear to come from a reputable source with the goal of acquiring a user’s sensitive information. The attack ultimately drained 16 wallets of all NFTs and cryptocurrency in their wallet, amounting to over $1.7 million in value.

How did this happen?

Several weeks before the phishing attack, a bug (or error in the source code) was detected on the OpenSea smart contract which allowed a hacker to purchase popular NFTs at previously listed prices. Because of this exploit, one user accidentally sold a Bored Ape Yacht Club NFT for 4.7 ETH (~$12k). The lowest price, or floor price, for the same NFT collection is currently at 88.8 ETH (~$250k). The hacker was able to sell a total of 332 ETH worth of NFTs (~$875k).

In order to resolve this exploit, OpenSea reimbursed the affected users and immediately started working on changes to their smart contract (the source code which runs the platform) to resolve the bug. The new OpenSea smart contract would cause all old and inactive listings to eventually expire. It was set to take effect on Friday, February 25th. OpenSea had sent users an email informing them that this smart contract migration was occurring and offered instructions on how to migrate their NFT listings to the new smart contract. The hacker responsible for the phishing attack had sent users an email that appeared identical to OpenSea’s initial email. However, the hacker’s email contained a link which caused users to inadvertently authorize the sale of the NFT’s in their wallet for 0 ETH. The attacker achieved this by prompting users to sign half of an empty order from Wyvern Exchange, a digital asset exchange protocol running on Ethereum. The order contained minimal information except for the hacker’s address and call data, unintelligible to the common user. The attacker then signed the other half of the order, in essence writing a blank check to themselves and giving them full control of the victim’s wallet.

Albeit a devastating blow to OpenSea’s reputation and overall trust of the blockchain, this incident does have some redeeming aspects. Due to the transparency of the blockchain, investigators were able to quickly discover the wallet address of the hacker where the stolen assets were sent and all subsequent transactions made by that wallet. Even though the owner of the wallet address is anonymous, OpenSea was able to blacklist the wallet and blocked the attack from spreading further. The victims also have direct evidence on the blockchain of which assets were stolen, making the process for reimbursement far easier for all parties involved. Traditional scams like phone scams are far more common than Web3 scams and much more difficult to trace. Americans reported losses of nearly $30 billion to telescams in 2021. In the majority of cases, the victims and authorities are unable to locate the stolen funds or the perpetrators.

Could this happen again?

Illegal activity online has become an inevitability in our lives. As long as there is monetary value to be stolen and people to be exploited, hackers and scammers will continue to find new ways to do so. Web3 projects like OpenSea are no different as they have to share applications and services with Web2 like email domain servers and internet browsers.

It is still unknown how the hacker was able to obtain OpenSea users’ email addresses. The OpenSea smart contract stored on the ethereum blockchain was not hacked, but it is possible that components on the OpenSea webpage, their email server or third parties handling various elements of their platform were compromised. At this time all potential causes are speculation, however, it has become evident that social engineering has been at the root of the majority of hacks and scams in the Web3 space. 

A social engineering scam is when a scammer uses manipulative tactics and deceit to convince unsuspecting users to reveal their sensitive information. Some examples of social engineering scams are fake giveaways, romance scams and phishing attacks. Scammers use techniques such as impersonating reputable sources and creating a false sense of urgency or fear to fool people into giving up vital information needed to access their crypto wallets or exchange accounts. In order to avoid falling victim to a hack like OpenSea’s phishing attack it is important to stay informed, avoid clicking on any email links from a person or company you do not recognize and always carefully read wallet transactions before authorizing.

Here are some WhiteboardCrypto videos about how to avoid scams:

Crypto Scams to Avoid – 10 Tricks Scammers Use

Avoid Crypto Scams – 7 Signs of a Rug Pull!

Author

  • Raul is an engineer, actor and freelance writer living in Houston, TX. He is a blockchain enthusiast and contributor on several NFT projects since September 2021 with particular interests in Web3 gaming and the metaverse.

Related Articles

Enroll now

Latest Articles