OpenSea Phishing “Hack”: What Really Happened and How To Protect Your NFTs

Posted on Mar 2, 2022 | ブログ

opensea-banner

Introduction
OpenSea users lose millions in valuable NFT theft
How were OpenSea’s NFTs stolen?
Was OpenSea hacked?
What Really Happened
How to protect yourself against NFT hacks
Final Thoughts

Introduction

With the tragic political events in the Ukraine currently dominating news, it’s already hard to recall the rude awakening that the surging non-fungible token (NFT) industry and its prolific community received on February 19th, a mere 2 weeks ago. However the NFT space isn’t going anywhere and therefore we will be doing a thorough review in this article. 

OpenSea users lose millions in valuable NFT theft

In mid-February media reports started to surface that a malicious actor attacked leading NFT platform OpenSea and made off with a pirate’s bounty of valuable digital collectibles from the NFT darling’s deep-pocketed customers. 

Initially valued at $3 million, OpenSea’s CEO David Finzer maintained that the heist was $1.7 million worth of the lucrative digital assets, as this was reflected in the hacker’s wallet in ETH. However, in the aftermath, other parties calculated that a stunning $200 million in assets were taken. Of the 254 stolen NFTs, some were from the world’s most valuable collections such as Bored Ape Yacht Club (BAYC) and Mutant Ape Yacht Club, as well as metaverse assets from the likes of Decentraland.

Furious users have accused OpenSea of neglecting and downplaying the event, disputing the official narrative of what really took  place. As more details come to light, broader questions have been raised about the security of OpenSea and other NFT platforms, with many wondering what they can do to better safeguard their digital assets.

The NFT hack also led to serious questions on the wisdom of leaving either control over your digital assets in your own hands due to the incredible sophistication of hackers, or providing access to a third party protocol that can be targeted and exploited by said bad actors. 

One thing that is certain is that NFT owners and traders certainly need to take some responsibility in the matter as well. It’s clear that they halcyon early days of NFT Summer 2021 is in the past, and that while NFTs technically are not cryptocurrencies, thanks to their underlying smart contract reliance, owners should treat their security as such and learn from lessons learned in other sectors like Decentralized Finance (DeFi).

How were OpenSea’s NFTs stolen?

The attack on OpenSea’s users took place over several hours and appeared to be the work of a single hacker, or at least a single account. OpenSea has said the hacker employed a phishing technique, insisting that users accidentally clicked bogus links. These then led them to sign a modified smart contract inadvertently, which granted the hacker permission to move the NFTs to their own wallet address. 

OpenSea at first said 32 people had been impacted but then changed the number to 17. The reason given for the revision was that 15 people’s interactions with the hacker had been harmless. While the hacker has already sold some of the NFTs on OpenSea itself, it’s likely they will struggle to make use of their stolen bounty, due to the transparent nature of the blockchain and the fact that both the stolen NFTs and their wallet address is known, making it easy to track and potentially block future attempts at selling the NFTs.

Was OpenSea hacked? 

OpenSea’s Finzer alleges that the website’s code itself had not been compromised in the phishing scam which he said must have relied on users opening malicious emails or entering certain websites, after his team interviewed dozens of victims in order to find a common thread in their interactions on the web. Finzer strenuously denied the rumor that the ill-gotten haul had been as large as $200 million, emphasizing the $1.7 million figure instead and also noted that the cybercriminal had returned some of the stolen NFTs and even donated a sum of ETH to one user. 

This is behavior seen in the aftermath of other recent hacks in the space, such as 2021’s Poly Network breach that totalled a crushing $600 million in value at the time. The hacker soon returned all the funds though, most likely as they knew there would be no way to cash out or convert these assets without getting “doxxed” (unmasked in crypto parlance) in the process. Also the hacker likely left clues behind that already revealed their identity to blockchain sleuths. 

A number of victims refuted OpenSea’s findings, saying they had never opened any phishing emails. They zeroed in on one commonality in their actions – manually moving their NFTs to a new smart contract format on OpenSea after the platform requested they do so. 

The contract update had been for the purpose of fixing a problem with inactive listings that had created a vulnerability for hackers. This revelation raised further questions directed at the OpenSea team as well as legal ramifications. So what really happened?

What Really Happened

OpenSea uses off-chain signatures that can go into effect regardless of whether a person is online at the time. These trades are gasless and automatic, making the platform more efficient and convenient. 

At the time of the hack, OpenSea was in the midst of upgrading its smart contracts on the Wyvern Protocol from V1 to V2.3. The company’s CTO Nadav Hollander said that users must have signed an order at some point under Wyvern V1 that was then exploited before the new version went live. By collecting these signatures, the hacker could simply wait and pounce at an optimal time.

According to Hollander, under the EIP-712 format of the new contracts, such attacks will be much more difficult in the future.

How to protect yourself against NFT hacks

While past phishing attacks have often lured people into revealing their crypto wallet’s seed phrase or private key, this newest example demonstrates that people must be careful to avoid signing potentially dubious smart contracts. There are several things people can keep in mind to better protect themselves against phishing, considered as one of the most lucrative cybercrimes that works on deception and comes in many forms such as emails, online ads, or even fake customer support by phone.

Careful with the emails and sharing info on social media

When it comes to crypto, NFTs, and Web 3, it’s probably best to avoid opening emails related to these spheres and also to refrain from opening such links on social media. When a company actually needs to reach you, they will make contact within their platform. With the uncanny resemblance many phishing emails may bear to the genuine article, it’s far too easy to click on one by accident unless you have a set policy of just saying no.

A good rule of thumb is to use a different email account for every exchange or marketplace you interact with, and also to have a separate email account for airdrops and giveaways you might sign up for, where you’re forced to divulge personal details that can later be used against you. 

Don’t allow blind signatures

Although there is a convenience to allowing gasless executions of smart contracts when you’re offline, there can also be a danger in allowing blind signatures, which can open up your digital assets to vulnerabilities even when they’re stored offline in a hardware wallet. The new EIP-712 signatures are said to be more robust in terms of security than their predecessor. However, it is still worth considering just avoiding blind signatures as a personal policy.

Pay attention to token permissions

Many users of NFT platforms such as OpenSea are not careful enough with the permissions they allow. If you use OpenSea and have been allowing off-chain signatures under Wyvern V1, you can rescind permissions for the spending of funds, which might act as a disincentive to hackers. If you visit Etherscan, you can link your wallet and then check where you’ve granted token approval permissions.

Use platforms that invest in first-class crypto security and insurance

One of the best ways to keep your NFTs secure is to be selective on which platforms you hold them. Institutions can use CYBAVO’s flagship solution, CYBAVO VAULT, which supports both ERC-721 and ERC-1155 formats. With CYBAVO VAULT, organizations can mint, store, burn, and send NFTs as well as use smart contracts. Support also exists for WalletConnect, allowing an easy interface with OpenSea and other NFT marketplaces. 

An array of security features protect your digital assets when you use CYBAVO products, including multi-party computation (MPC) as well as PIN code and biometric verification. Moreover, CYBAVO offers AA-rated insurance from trusted partners like Lockton Companies

Final Thoughts

The OpenSea breach was a tough but necessary lesson for the NFT industry- while it didn’t appear to make sense for hackers to target digital collectibles due to their non-fungibility, bad actors will still try if you make it easy enough. The effect can be devastating, destroying the floor price and value of the entire affected NFT collection and shipwrecking the reputation of the platform involved. 

It doesn’t really matter why these hacks happen. What does matter is that bad actors will try and succeed in most cases, preying on a whole new generation of digital asset owners that will learn the same lessons as their Mt. Gox predecessors- once you or your custodian lose access to your wallet, your assets are likely lost for good, and their retrieval is not in your hands anymore. 

With that being said, there have also been significant advances in blockchain tracking through incredibly smart and automated chain analytics from the likes of Elliptic and Chainalysis that use the latest artificial intelligence to follow the movements of digital assets. This was certainly underscored with the recent arrest of the unusual suspects related to the $3.5 billion Bitfinex hack in 2016. Who knows, in the future, “Follow the Money’ might even include crypto and NFTs!

Until then, the fallout can be enormous if you’re an institution or if you’re an owner, as the hacker or new owner has to be tracked down and willingly return your asset.

It’s simply easier to not get to that point. Make sure to follow best practice security measures and keep your NFTs at best-in-class institutions with proven cybersecurity track records like CYBAVO. Learn more about CYBAVO products and talk to an expert here.