With all the hype around non-fungible tokens (NFTS), it’s easy to forget that this blockchain niche remains largely unregulated. In some circles, NFTs have inherited the Wild West reputation that cryptocurrencies like bitcoin fended off in the early days. NFT critics argue these digital collectibles can be easily copied online as jpegs. However, the charm of NFTs is true ownership rights secured on the blockchain, and users are doling out thousands and even millions of dollars for this status symbol.
Investors were sorely reminded of the developing nature of NFTs last weekend when bad actors absconded with over $1 million worth of these trendy digital collectibles. OpenSea, the most popular platform for buying, selling, and minting NFTs, found itself in the middle of the heist. Meanwhile, OpenSea executives are addressing the incident and attempting to distance themselves from it simultaneously.
While the situation remains fluid, what’s clear is that nearly three-dozen market participants had their NFTs lifted from under their noses.
Based on social media accounts, the bad actors targeted OpenSea users by email, pretending to be from the platform and urging a planned migration of smart contracts. These products are synonymous with blockchains like Ethereum. Worse, OpenSea had a smart contract upgrade in the works, which gave the email recipients reason to believe it was legit. In reality, the criminals were behind what appears to be a phishing attack, at least in part, and what is being probed as a smart contract exploit.
OpenSea CEO and co-founder Devin Finzer addressed the saga in a tweetstorm, saying he didn’t believe the attack was linked to the company’s website. Nevertheless, 32 OpenSea users have seemingly “signed a malicious payload from an attacker, and some of their NFTs were stolen,” Finzer explained.
Rumors suggested that the damage from the stolen NFTs could be as much as $200 million, but Finzer attempted to lessen the blow, saying instead the hacker “has $1.7 million of ETH in his wallet from selling some of the stolen NFTs.” The OpenSea chief also assured that the attack no longer appears active. The hacker even decided to return some of the NFTs for unknown reasons. But that hardly provided any comfort to victims of the breach.
As far as we can tell, this is a phishing attack. We don’t believe it’s connected to the OpenSea website. It appears 32 users thus far have signed a malicious payload from an attacker, and some of their NFTs were stolen.
— Devin Finzer (dfinzer.eth) (@dfinzer) February 20, 2022
According to his account Twitter user Alabaster Jefferson (AJ) was one of the victims of the NFT hack. AJ explained how the common thread among the theft victims was their NFTs were all “manually migrated on OpenSea.” They’ve been in talks with one another, trying to identify the common weak link among them.
AJ quashed bystanders’ attempts on Twitter Spaces to seemingly blame the victims for clicking on a phishing email. While he did receive an email from OpenSea, and there was a link, AJ never clicked the bait. Instead, he “went from the header at the top of OpenSea.” According to AJ, the OpenSea CRM was never compromised. He asks what happened and, perhaps more importantly, whether it can happen again, concluding that there’s no clear resolution.
HEY EVERYONE. I CONNECTED WITH A FEW OTHER PEOPLE WHO GOT HACKED JUST NOW.
ALL OF US ONLY HAVE ONE THING IN COMMON.
ALL OF OUR STOLEN NFT’S WERE ONES WE MANUALLY MIGRATED ON OPENSEA. @opensea you have so much explaining to do now.
— AlabasterJefferson (@AJFromDiscord) February 19, 2022
Another NFT theft victim goes by the Twitter account nix.eth. This individual called it a “sick, huge loss” upon realizing that 25 NFTs from the Worlds play-to-earn NFT gaming platform had disappeared. Five of the assets have seen been returned, but it’s of little consolation. Nix.eth describes having lost more than $2.2 million in the breach, which they surmise was a combination of a phishing attack and exploit. Nix.eth is a developer and a “long time crypto user,” which suggests that if it can happen to a seasoned market participant and crypto gamer, it could happen to anyone. Similar to AJ, Nix.eth did not click on the OpenSea email
Ever sign one of these?
This is the reason I call the OpenSea signature attack part phish and part exploit.
— nix.eth (@nix_eth) February 21, 2022
Bieber’s NFT Fever
OpenSea’s troubles seem to date back before the most recent heist. On Feb. 18, a lawsuit was filed by plaintiff Timoty McKimmy in the U.S. District Courts, Texas Southern District, against the company. The complaint involves an NFT that was allegedly stolen, listed, and sold to someone else even though McKimmy never listed it on the marketplace. Nevertheless, the NFT in question has allegedly since been sold for 99 ETH, which, based on the latest price, is worth almost $260,000.
McKimmy’s NFT was one of the coveted Bored Apes, one of the most popular collections out there. The set has attracted fans like Justin Bieber, who recently doled out over $1 million for his latest digital avatar. The plaintiff argues that his stolen NFT is “significantly rarer” than the one owned by Bieber. McKimmy blames the NFT theft on a bug on the OpenSea marketplace, one which he asserts the company knew about but failed to protect its users from.
Bored Ape #3001 was purchased for 500.0 ETH
— boredapebot (@boredapebot) January 29, 2022
The complaint documents how OpenSea has handled $11 billion in NFT sales combined, with the company boasting a valuation of anywhere between $10 billion and nearly $13 billion. McKimmy wants his fair share, including over $1 million in damages.
While NFTs are a wildly popular niche, they remain in the early innings of adoption. Influencers are increasingly jumping on the NFT bandwagon, and companies are making it easier than ever to participate. Cryptocurrency exchange Coinbase, for example, reportedly has a list of 3.7 million interested users for its upcoming NFT platform. As these digital collectibles achieve wider-scale adoption, chances are the NFT segment will continue to have a target on its back for scammers, something for blockchain native users and newbies alike to expect.
More Articles By Wealth of Geeks
This post was produced and syndicated by Wealth of Geeks.
Featured Image Credit: Shutterstock