OpenSea Hack: Dozens of NFTs Were Stolen via a Phishing Attack

Hackers stole highly valued Non-Fungible Tokens (NFTs) from OpenSea. It appears the hackers exploited an upgrade from OpenSea to a new smart contract by commencing a phishing attack.

OpenSea issued an upgrade a couple of days ago, requesting users to migrate their listings. "In 1 week, at 2pm ET on Friday, February 25, any listings you haven’t migrated will expire. If you miss the migration window, you’ll be able to re-list any expired listings without incurring additional fees (including gas fees)."

Due to the short notice, it allowed hackers to exploit the upgrade notification that was sent via email to all users in the NFT marketplace.

source: twitter

OpenSea Old Listings Fix

The upgrade is meant to solve old issues that are caused by old listings. If a trader lists an NFT for sale in OpenSea, gas fees are required for the listing.

Let's take a scenario where the trader lists an NFT for 1 ETH where gas fees were paid. When the trader wishes to relist the NFT for 2 ETH, OpenSea allows it to be relisted without an additional charge of gas fees.

However, the old listing (1 ETH) is never really cancelled. In order to cancel the old listing gas fees are required per listing. As OpenSea is allowing relisting without paying gas fees, if NFTs that are currently worth over $50,000 were ever listed for sale at $20 a year ago, the $20 listing is still present.

Another concern is when the listing is cancelled it can be exploited in the blockchain Blockchain Blockchain comprises a digital network of blocks with a comprehensive ledger of transactions made in a cryptocurrency such as Bitcoin or other altcoins.One of the signature features of blockchain is that it is maintained across more than one computer. The ledger can be public or private (permissioned). In this sense, blockchain is immune to the manipulation of data, making it not only open but verifiable. Because a blockchain is stored across a network of computers, it is very difficult to tamp Blockchain comprises a digital network of blocks with a comprehensive ledger of transactions made in a cryptocurrency such as Bitcoin or other altcoins.One of the signature features of blockchain is that it is maintained across more than one computer. The ledger can be public or private (permissioned). In this sense, blockchain is immune to the manipulation of data, making it not only open but verifiable. Because a blockchain is stored across a network of computers, it is very difficult to tamp Read this Term by frontrunning. When an old listing is manually cancelled by the NFT owner, it can be exploited in the block via bots.

When the cancellation is in the block and yet to be confirmed, it can be exploited by executing the sale in the same block. For example, if an NFT that is currently worth $50,000 was ever listed for $10 and the owner cancels the listing, before it is confirmed in the block hackers may execute the sale of $10 in the same block before it is confirmed ('frontrunning').

OpenSea's upgrade is meant to tackle these issues by ensuring old listings will expire. However, due to the short notice hackers used a phishing Phishing Phishing is a form of cyber-attack in which fake websites, emails, and text messages are used to elicit personal data. The most common targets in this assault are passwords, private cryptocurrency keys, and credit card details.Phishers disguise themselves as reputable businesses and other types of entities. In certain instances, reputable government organizations or authorities are impersonated in order to collect this data.Because phishing relies on psychological manipulation rather than techno Phishing is a form of cyber-attack in which fake websites, emails, and text messages are used to elicit personal data. The most common targets in this assault are passwords, private cryptocurrency keys, and credit card details.Phishers disguise themselves as reputable businesses and other types of entities. In certain instances, reputable government organizations or authorities are impersonated in order to collect this data.Because phishing relies on psychological manipulation rather than techno Read this Term attack to maliciously obtain the NFTs.

The OpenSea Hack

The email announced the migration to the new smart contract. By clicking on 'Get Started' the user granted authorization to the hackers that drained the account of the NFTs.

source: etherscan

Dozens of NFT holders were victimized by the phishing attack. The mutant ape yacht club NFTs, bored apes (BAYC) and Azuki are just some of the NFTs that are now owned by the hackers.

BoredApeYachClub #1277, which was last sold for 100 ETH (approximately $290,000), is among the NFTs that were stolen in the phishing attack.

OpenSea issued the following statement, "We are actively investigating rumors of an exploit associated with OpenSea related smart contracts. This appears to be a phishing attack originating outside of OpenSea's website."

Despite the statement and the circulation of the news, NFTs are still being transferred to the malicious address at the time of this writing. The value of the stolen NFTs is estimated to be over $1.6 million.

OpenSea $1 Million Lawsuit

One of the phishing attack victims, Timothy McKimmy filed a lawsuit in Texas against OpenSea for losing his bored ape NFT. It has been reported that the BAYC NFT is Bored Ape #3475, which was among the rare NFTs of the series.

Following the phishing attack the hacker resold McKimmy's NFT for 99 ETH. McKimmy claims that OpenSea were aware of the bug but left it unaddressed, refusing to take down the platform to resolve the security issues.