Popular NFT marketplace OpenSea fell victim to a phishing attack that stripped users of hundreds of highly valuable NFTs.
OpenSea users fall victim to attack
OpenSea has not exactly had the start to 2022 it had wished for. After the leading NFT marketplace reimbursed users over a bug that cost over $2 million AUD, LooksRare emerged as the first serious competitor to its centralised platform. However, the latest piece of bad news likely outdoes these two.
A hacker stole hundreds of highly popular NFTs from collections like Bored Ape Yacht Club, Azuki, and NFT Worlds, worth millions of dollars in total. 32 collectors were targeted, and their Ethereum wallets drained, with over 250 pieces stolen. An estimation of floor prices for the collections assesses the worth of the loot at over 1,000 Ether. In addition to the stolen NFTs, the hacker’s wallet contains 641 Ether of unknown provenance.
News of the hack surfaced on February 19, when users reported suspicious activity, prompting OpenSea to investigate the matter. The platform quickly refuted claims that a smart contract migration was to blame and pointed to a phishing attack that had taken place outside of its marketplace. CEO Devin Finzer said that OpenSea was cooperating with security analytics firm PeckShield, which eventually identified a phishing mail as the cause for the hack.
Another indicator of web3 risks
The incident was yet another indicator of how far web3 still is from being suitable for all users. In fact, the method employed by the hacker(s) was so clever that even web3 veterans may have fallen for the scam. As much was revealed by two post-mortem investigations by Twitter users that identified how the attack took place.
Apparently, the attacker deployed a smart contract in January with a call to an OpenSea contract. The goal was to trick users into believing they were signing a legitimate OpenSea transaction, hence why the initial confusion arose around an alleged smart contract migration. However, no such migration ever existed, and the hacker used the information about wallets collected through the malicious smart contract to raid the wallets for the valuable NFTs.
After the earlier bug that also saw users lose their BAYC collections, it is the second security leak in the OpenSea ecosystem (although arguably, the platform was not to be blamed for this one). It is also a reminder that signing transactions via email is an almost certain way to hand your wallet over to a hacker. Furthermore, the hack shows that instead of trying to break into the protocols and platforms themselves, hackers can simply target the biggest and obvious weak point: the user.
Clearly, blaming the victims is an easy cop-out of the situation and not a sustainable solution. Instead, the web3 world will have to work on better and more intuitive user interfaces, which empower users to take better control of their wallet security without forcing them to do all the heavy lifting themselves. More competition, like OpenSea is facing now, may be a good first step to getting there.
