A smart-contract migration email enabled an attacker to obtain 250 high-value NFTs from a mere 17 individuals.
Last weekend, hackers extracted millions of dollars’ worth of non-fungible tokens (NFTs) from 17 participants in the OpenSea NFT marketplace.
On Saturday, a handful of OpenSea users reported their NFTs as missing. Shortly thereafter, panic erupted, as many NFT owners feared that their NFTs could be next to disappear.
Why it happened
Speculators suggested that a glitch might have occurred within OpenSea’s smart contract – i.e., the software operating the platform- or perhaps from an extensively disseminated token airdrop executed by a knockoff NFT marketplace, known as X2Y2. But that’s not what happened.
The actual reason for the attack is far more interesting.
Roughly 90 minutes after the NFTs disappeared, OpenSea tweeted that that ‘a phishing attack originating outside of OpenSea’s website’ constituted the source of the issue.
In order to successfully phish NFT investors, an attacker designed and deployed sophisticated social engineering techniques.
On Friday, OpenSea had launched a new smart contract. Malicious actors then quickly copied the smart contract, and re-sent OpenSea’s email blast notifying users.
Persons who opened the lookalike email were sent to a fraudulent domain. The domain prompted users to sign a seemingly legitimate transaction, which would ostensibly migrate their NFTs from the old contract to the new contract.
Check Point researchers state that the “sign” button (as in ‘sign contract’) triggered a function called “atomicMatch_.” This type of software can steal all victim-owned NFTs in a single transaction.
For software engineers, phishing attacks and social engineering represent some of the most challenging security issues to solve for. On Web3, controlling phishing and social engineering may become particularly difficult.
“General usability continues to be a challenge and can contribute to confusion. Understanding what it is you are signing digitally as a user is not always obvious,” says Matt Bailey, VP of Engineering at Club NFT.
Because blockchain transactions are irreversible, the downstream effects of a single accidental click can be considerable. Consequences may be even greater than for mistakes made within traditional IT environments.
OpenSea’s damage control
Initially, OpenSea’s CEO, Devin Finzer, reported that 32 OpenSea members had fallen victim to the phishers. But as the hours wore on, research indicated that the number of victims was actually a bit smaller – just 17. However, from these 17 individuals, 250 NFTs disappeared.
In 2021, the total market for NFTs reached $41 billion. Within the NFT space, OpenSea is one of the most recognizable names. As of January 2022, the company received a valuation of $13.3 billion.
Transactions on OpenSea tend to fluctuate between $100M-$200M per day, with $3.68 billion worth of NFT transactions taking place across the past 30 days. The monetary impact of this phishing campaign is significant.
How the attacker made $1.7M
The increasing value of NFTs provides insight into why this phisher managed to bring in $1.7 million in Etherium (ETH) from just 17 victims’ assets. The attacker simply sold the assets to willing buyers.
The high-profile nature of this incident means that NFT marketplace platforms are now focused on ramping up security and on increasing user education around phishing.
Most people in the NFT space are only using hot wallets (online wallets) for NFT storage, making it an absolute necessity for individuals to recognize phishing red flags.
Want to learn more about the latest phishing threats? See this article about how multi-factor authentication can fail.
Also, be sure to join us during Phishing Week, where you’ll find the latest phishing resources that can help protect you, your colleagues and your organization at-large. From Feb 28th – March 4th. Learn more here.
Lastly, blockchain for business is becoming a big deal. Please see our new blockchain security whitepaper.