A phishing attempt on 32 OpenSea users led in the theft of 254 NFTs worth $1.7 million in Ethereum coins. NFTs (Non-Fungible Tokens) are all the rage these days. They serve as a digital ledger and represent a certificate of ownership of a piece of digital media via the blockchain. The blockchain, on the other hand, does not rule out the possibility of people being duped out of their NFTs.
Phishing is when a hacker sends out a fake message in the hopes of tricking a human victim into divulging important information like login credentials, passwords, or credit card numbers. In this example, the attacker exploited the flexibility of the Wyvern Protocol, which powers multiple crypto commerce platforms, including OpenSea, which is said to be the world’s largest NFT marketplace.
By requiring customers to sign a partial contract on February 19, the strategy appears to have worked. The attacker then finished the malicious contract, giving them ownership of the NFTs, which included those from Decentraland and Bored Ape Yacht Club. After then, the assailant may resell them. The attacker returned some NFTs to their original owners and even rewarded one victim with 50 Ethereum ($130,000), according to Molly White of the “Web3 is going fantastic” blog. The attacker moved 1,115 ETH ($ 2.9 million) earned from the assault, according to White.
On February 19, panic erupted after a few users’ wallets were mysteriously emptied of valuable NFTs, and many others feared the same thing might happen to them. Early explanations blamed an airdrop from a new NFT marketplace named X2Y2 or a new contract that OpenSea had brought out. People pushed NFT owners to cancel permits for both the OpenSea contract and X2Y2 until additional information became available, however one of the most prominent websites assisting them went down shortly after due to the enormous volume of traffic. OpenSea eventually acknowledged the problem an hour and a half after users began reporting missing NFTs.
They claimed on Twitter that they were “currently researching rumors of an exploit associated with OpenSea related smart contracts,” and that they suspected it was a phishing attempt from outside of OpenSea, not a problem with their contract. An attacker had successfully phished 32 OpenSea users into signing a fraudulent contract, allowing the attacker to take the NFTs and subsequently flip them, it was later discovered. Surprisingly, the hacker returned some of the NFTs to their rightful owners, and one victim received 50 ETH ($130,000) in addition to some of his stolen NFTs from the attacker. The attacker then moved 1,115 ETH worth $2.9 million from the attack to a cryptocurrency tumbler.