OpenSea Hack: How a Major NFT Marketplace Fell Victim to Phishing

OpenSea Hack - How a Security Vulnerability Led to $1.7 Million in Stolen NFTs

21 Feb OpenSea Hack: How a Major NFT Marketplace Fell Victim to Phishing

Posted at 20:56h in GOGET SECURE by

OpenSea, a large NFT marketplace, made headlines due to a phishing attack. Learn what happened and what is being done to improve security.

Note: This story is still developing. We will provide additional updates as they are available.

What Is an NFT?

An NFT, or non-fungible token, is a unique and non-interchangeable unit of data that is stored on a blockchain. These NFTs can be sold and traded, making them an eccentric online asset that many people have found to be a creative new way to invest.

The data unit provides proof of ownership of an online version of a real-world object. For instance, many NFTs are graphic images (like the (in)famous Bored Ape Yacht Club graphics) or videos set to music (like Grimes’ original pieces, which have sold for up to $390,000).

At the higher level, most NFTs are technically a part of the Ethereum blockchain, which is a form of cryptocurrency similar to dogecoin or bitcoin, but one that supports the unique units of data that are NFTs.

What Is OpenSea?

OpenSea is the world’s first and largest NFT marketplace with a valuation of over $13 billion. Users (over a million of them at this point) can create accounts on their site and buy, sell, or discover different NFTs.

The OpenSea Hack

What Happened

On Saturday, Feb 19, 2022, 254 tokens were stolen (or phished? More on that later) from 32 users’ wallets.

The combined total dollar amount of all of the stolen NFTs is estimated at a whopping $1.7 million (though some estimates put that amount at $2.9 million based on the idea that the hacker was able to sell those NFTs on none other than the very site they were stolen from – OpenSea.)

Among these NFTs stolen were ones from the popular Bored Ape Yacht Club, Mutant Ape Yacht Club, and Decentraland.

But then, in a bizarre twist, the hacker seemed to… return some of them? Many victims reported getting some or all of their NFTs returned, with one user claiming that the hacker gave some of their NFTs back along with 50 ETH (that cryptocurrency we talked about earlier), or $130,000 in “real money.”

How It Happened

It seems that the hacker (it does seem that the heist was done by one individual or at least just one account) was something of an opportunist.

Most NFTs, including the ones traded on OpenSea, use a smart contract through the Wyvern Protocol. The Wyvern Protocol, per their website, is a “decentralized digital asset exchange protocol running on Ethereum.”

This protocol is what the hacker exploited.

Users on OpenSea received what co-founder and CEO of OpenSea Devin Finzer claimed was a “malicious payload from an attacker,” a partial contract that they signed. The hacker then completed the contract using this signature, which enabled them to gain ownership of the user’s NFTs.

According to OpenSea, the stolen NFTs were a result of a phishing scam rather than a hack based on a weakness in OpenSea’s system.

Conflicting Accounts

Some victims of the attack are skeptical of OpenSea’s explanation.

Many claim that they never signed anything that could have led to this.

What they all have in common is that their stolen NFTs were ones that they had manually migrated to a new smart contract on OpenSea. This new contract was created because it “fixes an issue with inactive listings that was allowing scammers to swipe valuable NFTs from collectors on OpenSea.”

So maybe they were phished with a fake page that the hacker designed to look like the one OpenSea uses to upgrade to that contract?

What We Know

One thing is for certain: some users lost NFTs and thus lost a bunch of money, which some of them got back, but not all of them, based on maybe a hack through the OpenSea platform, or a phishing scam.

And that’s pretty much all the info we have right now.

What It All Means in the Big Picture

The reason that this seemingly niche story is making headlines is that it reminds us just how vulnerable our data is in the larger sense when it comes to the internet.

The whole point of NFTs is that they are so secure because of the blockchain that they are stored in. The reason that people buy and trade them is that they leave an unchangeable mark every time anything happens to them.

If these NFTs can just have their data edited by a hacker then… what’s the point?

And if blockchain isn’t doing a great job of, well, blocking, then does the greater world of the internet have even a sliver of hope of being secure at all?

What the OpenSea NFT Exploit Taught Us

Though NFTs mean nothing to the population at large, there is a lesson to be learned for all of us.

In a world where everything from paying bills to conducting work to dating happens online, it’s important to remember just how vulnerable our online information is.

Now more than ever an emphasis needs to be placed on keeping the information that we put on the internet as secure as possible.

Sources: