NFTs worth Rs 12.6 crore stolen in massive OpenSea hack. How?

In the tech-obsessed and almost dystopian world we are currently living in, thieves have made away with jpegs of apes, cats and more. Victims of the heist are drenched in cold pixellated sweat as these jpegs amount to at least $1.7 million or Rs 12.6 crore.

Here's the full story of the OpenSea NFT heist:   

Blockchain is considered to be a secure and tamper-proof way of saving data. This explanation of the benefits of blockchain technology has definitely not aged well. After cryptocurrency hacks, it seems like thieves in the crypto world have targeted NFT holders.  

In the latest, at least $1.7 million (Rs 12.6 crore) worth of NFTs were stolen from 32 OpenSea users.

Our team has been working around the clock to investigate the specific details of this phishing attack. While we haven’t yet determined the exact source, we wanted to share a couple of EOD updates: ?

— OpenSea (@opensea) February 21, 2022

For the unversed, NFTs (non-fungible tokens) are those jpegs like Bored Ape Yacht Club, Cool Cat, and more that enthusiasts buy and sell as crypto tokens. Some NFTs are worth thousands of dollars. Remember the artist Beeple selling a collage of images for $69 million?  

So, the one place that facilitates and simplifies buying and selling of NFTs is - OpenSea. It is the world’s largest NFT marketplace and unlike some other exclusive NFT marketplaces, OpenSea has a low entry barrier.   

SO, WHAT HAPPENED?

✅ Proposed solution:A new signing message standard in which wallets inject the domain at the end of the signatureAnd older signatures that are not using the new standard appear in red ❌@MetaMask @myetherwallet @TrustWallet @CoinbaseWallet ? 7/8

— isotile ?? (@isotile) February 20, 2022

1. Smart contract upgrade: On February 19, 2022, Saturday, OpenSea NFT holders were told of a ‘smart contract upgrade’. Now, a smart contract for NFTs is a programming that manages all the transactions and ownership of the said NFTs. This information is transparent for all holders and sellers. OpenSea rolled out the upgrade to weed out all the inactive NFT listings.

2. Phishing attack, not hack: It is during this time that the attack took place. However, contrary to the initial report that OpenSea had been ‘hacked’, CEO of the platform Devin Finzer said that it was a phishing attack targeting users.  

3. What is the worth of the NFTs? Finzer also refuted claims that NFTs worth $200 million were stolen, saying that the hacker’s wallet only shows $1.7 million he or she made from selling the stolen NFTs.

4. How many NFTs have been stolen? A list compiled by blockchain security service PeckShield shows 254 NFTs stolen during the attack.

Currently, OpenSea is investigating the attack and has urged those who had their NFTs stolen to report to OpenSea support on Twitter to help the investigation.

HOW DID THE ATTACK TAKE PLACE?

?‍☠️ OPENSEA NFT HACK EXPLAINED THREAD ?‍☠️28 days ago the hacker uploads a new smart contract, he already knows well that his goal is to get as many signatures as possible? 1/4 pic.twitter.com/WMD9JrrvII

— isotile ?? (@isotile) February 20, 2022

A phishing attack is not a new concept. It involves fake communications being sent to targets that appear to be from a legitimate source – like a bank – or in this case, from OpenSea. The communication is usually in the form of emails or even phone calls – like someone asking for your OTP.

In the case of OpenSea, users were targeted with mass email systems that claimed to be from the NFT marketplace, like the picture in the tweet below.

OPENSEA HACK: This is the phishing email the hacker is using to drain wallets from my own email ??? if you interacted with this email at all, MOVE ALL ETH AND NFT’S TO A NEW WALLET pic.twitter.com/oxXQaIpYiX

— dontfade.eth (@18Gglover) February 20, 2022

After clicking on the fraudulent link, the users were directed to another dialog box that asks them to sign using their wallets. Users thought they were signing for OpenSea contract migration, but in reality, they were signing onto a fraudulent contract and were agreeing to sell their NFTs for zero dollars to the person (thief) on the other end.

Finzer described it as signing a blank cheque.

Importantly, rumors that this was a $200 million hack are false. The attacker has $1.7 million of ETH in his wallet from selling some of the stolen NFTs.

— Devin Finzer (dfinzer.eth) (@dfinzer) February 20, 2022

However, what stands out here is that all the victims are OpenSea users. So there is a likelihood that the thieves were able to somehow obtain the Email IDs of OpenSea users. The question remains: Was there a data leak from OpenSea?

Some Twitter users offered support to those being targeted by the attackers. One piece of advice that was given was to revoke the approval given to smart contracts to access NFTs.

Blockchain technology, cryptocurrencies, NFTs, and every related aspect is still very new. The world is learning from the loopholes that have enabled million-dollar heists in the past. But the blockchain space needs serious security revisions, despite the claims that it is in ‘principle’ a safe way to store information.