On 21 January we published a guide on how to keep your OpenSea assets safe from certain scams. Well, we hate to say we told you so, and hope you listened!
Less than a month later, a shocking OpenSea NFT phishing scam took place, stealing millions in crypto assets. It has once again underlined the importance of keeping your valuable digital assets as secure as possible, and that means only one thing: Using a hardware wallet like the CoolWallet.
Here’s what happened: Reports came in on 19 February that hackers made off with 254 non-fungible tokens (NFTs) from 17 unsuspecting OpenSea users over a three-hour period. The hackers managed to compromise 32 accounts but thankfully were only able to make off with assets from 17 user accounts.
Blockchain security service PeckShield’s records show the loot of the massive phishing scam included coveted digital collectibles from Decentraland and Bored Ape Yacht Club. It is estimated that the stolen NFTs are valued at over $1.7 million. False rumors initially claimed that $200 million worth of NFTs were stolen.
The attack has since been attributed to a phishing email scam that fooled OpenSea users into “blind signing” a transaction (where the message is not known before it’s signed), thus giving approval for the hackers via a Wyvern smart contract exploit to transfer the NFTs for 0 ETH.
OpenSea users are advised to revoke token approvals and to use a hardware wallet to store their NFTs. In a CoinTelegraph interview, Neeraj Murarka, chief technical officer and co-founder of Bluezelle, a GameFi platform, advised NFT holders to use cold storage and said the following:
“Much like Bitcoin, Ethereum, etc, NFTs themselves should be moved to hardware wallet accounts instead of leaving them on a centralized platform “because most software wallets as well as other custodial storage solutions are too vulnerable in their general design and operational outlook.”
If you’re an OpenSea user, we advise you to immediately follow this Open Sea guide and revoke any unnecessary token approvals. There’s also never been a better time than now than to get your hands on a premium hardware wallet like the CoolWallet Pro, which offers integrated in-app support for leading NFT marketplaces like OpenSea and Rarible.
NFT owners can enjoy multiple security measures, such as a CCEAL 6+ secure element (SE) and various biometric checks, to better protect and control their assets, as all transfers must be approved via a physical button press on the CoolWallet. The in-app marketplace support also ensures that users won’t visit a fraudulent site by mistake, which is how a large percentage of phishing scams usually start.
How did the OpenSea attack happen and who’s to blame?
According to The Verge, the hackers appeared to have exploited a vulnerability in the Wyvern Protocol, which is the protocol that underlies most NFT smart contracts, to carry out the attack. One explanation of how it was carried out was offered by OpenSea CEO Devin Finzer on Twitter. Finzer stated that the group had users blind sign a partial contract where the contract was empty except for a call to the attacker’s contract, which resulted in the ownership of the NFTs being transferred without payment.
However, many details of the attack are still unclear, such as how the group was able to add the victims’ signatures to the half-empty smart contracts. Finzer stated that the vulnerability did not originate from the platform’s website, its various listing mechanisms, or any emails from the company. Due to the sheer speed of the attack, it seems like a common source is the most likely scenario.
In a series of Tweets, blockchain security company PeckShield revealed that they suspect the phishing attack was made possible due to a user information leak that included user email IDs.
This is not the first time that the NFT platform has come to blows with its users for its security issues. Other attacks that have occurred on OpenSea include those that have leveraged old listings bugs or poisoned gifted NFTs.
At the time of the attack, the NFT platform was in the process of upgrading its contract system. The upgrade, which had a one-week deadline, required users to migrate the NFTs from the Ethereum blockchain to a new smart contract, in order to weed out inactive listings from the platform and offer users new safety features. If not migrated, the old listings were due to expire within a week of the upgrade’s commencement on February 25th at 7 pm UTC. Within hours of the upgrade announcement, there were reports of an attack that targeted soon-to-be delisted NFTs.
However, it is unlikely that the attack was a network fault, despite rumors to the contrary, due to the relatively small number of victims. If the theft was due to an internal fault, it’s likely that a far greater number of accounts would have been compromised.
Will the OpenSea hacker get away with it?
The identity of the hacker or group hasn’t been identified yet. But the OpenSea team has been working with the compromised users in order to narrow down a list of websites that they may have interacted with to find out if there is a common denominator that may be responsible for the false signatures.
After managing to sell a portion of the NFTs, the attacker’s wallet held more than 600 ETH or 1.7 million. However, according to Finzer, the hacker had returned the remainder of the NFTs. This is likely because they realized that they would eventually be found out, and the remaining NFTs will be very hard to offload.
Finzer advised OpenSea users that if they wanted to protect themselves from further attacks, they could unapprove access to their NFT collections. He also warned users to always double-check that they are interacting with the official OpenSea website before signing messages.
Phishing attacks: What you need to know
Phishing scams occur when a malicious actor poses as a legitimate and trustworthy entity such as a bank or other financial authority in order to steal a user’s personal details and gain access to their account.
This is usually done by sending links that lead to a fake website that is designed to look identical to its genuine counterpart. Once directed, the unsuspecting victim is encouraged to enter their personal details, such as their account number, password, or in the case of cryptocurrency wallets, signatures, private keys, and seed phrases. Once they have access to these details, they have access to your account and your assets.
Another way that phishing scams can occur is through social engineering. In this instance, scammers target victims in person or over the phone by posing as representatives from legitimate companies to gain their trust. They then use various social engineering tricks such as asking the right questions to try and decipher secret information.
Quick Tips to Stay Safe on OpenSea
Follow these safety tips to stay safe avoid this from happening to you:
- Never disclose your private information to anyone under any circumstances, even if you think the person may be a representative from a bank or cryptocurrency firm. A genuine financial institution representative would never request that a customer gives them this information
- Always check the URL of the website you are on, if it appears strange at all, exit the site immediately. Ensure that it contains “https”, which means that it’s a secure website
- Look at the content of the website, if it contains any typos or weird grammar, chances are its a pseudo-site. It may seem obvious to you but to the scam artists its a numbers game – they only need to fool a small number of people through the mass emails that they send out for it to be worth their while
- Never open any suspicious links in text messages or emails. This is the most common form of phishing and even if you don’t enter any sensitive information, once clicked, the link could download malware that could infect your device.
- Remember that it’s often common for these scams to create a sense of urgency so that you will click on the link or give up your information but it’s important to remain calm and try not to panic because that is what the scammers are relying on.
- Use a unique and dedicated email account for each exchange or marketplace where you own or trade crypto.
Get CoolWallet’s Integrated Cold Storage Support for OpenSea and Other NFT Marketplaces!
If you own cryptocurrencies or NFTs, know that hackers and scammers will do everything to get their hands on them. Stay on top of the best security measures, like our MetaMask security guide, and consider even getting a second cold wallet to diversify any risk. And of course, use a hardware wallet like the CoolWallet Pro!
CoolWallet now offers integrated support for NFT marketplaces like OpenSea and Rarible, and might just be the last line of crypto defense that your NFTs may one day need.
Don’t delay any longer, because the bad guys aren’t. In fact,they’re very likely figuring out their next attack and vulnerability to exploit as we speak.