Over the weekend, hackers stole millions of dollars worth of non-fungible tokens (NFTs) belonging to 17 members of the OpenSea NFT marketplace.
On Saturday, a small number of OpenSea users noticed their NFTs were missing. (NFTs are digital tokens on the blockchain that represent ownership over virtual assets, such as digital drawings or music.)
“Panic erupted” wrote Molly White, who runs the blog Web3 is Going Great, because “many others feared the same could happen to them.”
Speculation abounded that a glitch might have arisen from OpenSea’s smart contract – i.e., the software that the platform runs on – or perhaps from a widely disseminated token airdrop carried out by a knockoff NFT marketplace called X2Y2.
The real cause was much more interesting.
About an hour and a half after the NFTs went missing, OpenSea tweeted that, in fact, the phenomenon appeared “to be a phishing attack originating outside of OpenSea’s website.”
We are actively investigating rumors of an exploit associated with OpenSea related smart contracts. This appears to be a phishing attack originating outside of OpenSea's website. Do not click links outside of https://t.co/3qvMZjxmDB.
— OpenSea (@opensea) February 20, 2022
Hackers, it turned out, had used some clever social engineering to phish unwitting investors.
Bait-and-Switch Contract
On Friday, OpenSea had launched a new smart contract. Quickly, a malicious actor copied and re-sent OpenSea’s email blast notifying users.
Those who opened the copycat email were directed to a copycat webpage. There, they were prompted to sign a seemingly legitimate transaction that, purportedly, would migrate their NFTs from the old to the new contract.
Instead, clicking “Sign” triggered a function called “atomicMatch_.” As Check Point Software described on Sunday, “this kind of request is capable of stealing all victim NFTS in one transaction.”
Engineer Head-Bangers
Unfortunately phishing attacks and social engineering remain some of the hardest security issues to solve as an engineer, noted Matt Bailey, VP of Engineering at Club NFT, via email. That isn’t new to Web3 – a hazy term for blockchain-based, decentralized systems and technology meant to replace our current internet – but “it does come with some new wrinkles,” Bailey said.
“General usability continues to be a challenge and can contribute to confusion. Understanding what it is you are signing digitally as a user is not always obvious,” he explained.
Because blockchain transactions are irreversible, the threat of one wrong click is arguably even greater than in traditional IT attacks.
At first, CEO Devin Finzer reported that 32 OpenSea users had fallen victim to the ruse. That figure turned out to be an overshot. New findings on Monday clarified that the “original count included anyone who had *interacted* with the attacker, rather than those who were victims of the phishing attack.”
1) We’ve narrowed down the list of impacted individuals to 17, rather than the previously mentioned 32. Our original count included anyone who had *interacted* with the attacker, rather than those who were victims of the phishing attack.
— OpenSea (@opensea) February 21, 2022
In the end, 250 NFTs were stolen from just 17 users.
Even with so few victims, however, the monetary impact of this campaign was extraordinary.
OpenSea is one of the most recognizable names in the NFT – as in, the cryptocurrency/blockchain/metaverse – space. As of January 2022, the company was valued at $13.3 billion. Daily trading activity on OpenSea has tended to fluctuate between $100M-$200M per day, with $3.68 billion worth of NFT transactions occurring in only the past 30 days, according to DappRadar. According to blockchain research firm Chainalysis, the total market for NFTs reached $41 billion in 2021.
The growing value of NFTs helps explain why this particular attacker was able to flip just 17 victims’ assets for around $1.7 million worth of Ethereum (ETH).
Such a high-profile incident “presents the opportunity to improve both personal and marketplace security,” observed Jake Fraser, Head of Business Development for the NFT marketplace Mogul Productions.
Blockchain companies will be encouraged to invest in third-party smart contract auditing and bug bounty programs and will place a greater emphasis on educating investors about risks, he told Threatpost on Monday via Telegram. “When individuals get more educated, it prevents the likelihood of phishing attacks taking place. Most people in the space are still using hot [online] wallets to store their NFTs, so this is why it is crucial that they know how to identify the red flags when a phishing attack is taking place.”
Data from Etherscan indicates that this particular campaign may be over, given that the account trafficking the stolen NFTs had initiated only one transaction in the 30 hours preceding the time this article was written on Monday afternoon ET.
Join Threatpost on Wed. Feb 23 at 2 PM ET for a LIVE roundtable discussion “The Secret to Keeping Secrets,” sponsored by Keeper Security, focused on how to locate and lock down your organization’s most sensitive data. Zane Bond with Keeper Security will join Threatpost’s Becky Bracken to offer concrete steps to protect your organization’s critical information in the cloud, in transit and in storage. REGISTER NOW and please Tweet us your questions ahead of time @Threatpost so they can be included in the discussion.