/Opensea Hack: Dozens of NFTs Were Stolen via a Phishing Attack

Opensea Hack: Dozens of NFTs Were Stolen via a Phishing Attack

Hackers stole highly valued Non-Fungible Tokens (NFTs) from opensea. It appears the hackers exploited an upgrade from opensea to a new smart contract by commencing a phishing attack.

Opensea issued an upgrade a couple of days ago, requesting users to migrate their listings. ‘In 1 week, at 2pm ET on Friday, February 25, any listings you haven’t migrated will expire. If you miss the migration window, you’ll be able to re-list any expired listings without incurring additional fees (including gas fees).’

Due to the short notice it allowed hackers to exploit the upgrade notification that was sent via email to all users in the NFT marketplace.

openea smart contract update twitter

source: twitter

Opensea Old Listings Fix

The upgrade is meant to solve old issues that are caused by old listings. If a trader lists an NFT for sale in opensea gas fees are required for the listing.

Let’s take a scenario where the trader lists an NFT for 1 ETH, gas fees were paid. When the trader wishes to relist the NFT for 2 ETH, opensea allows it to be relisted without an additional charge of gas fees.

However, the old listing (1 ETH) is never really cancelled. In order to cancel the old listing gas fees are required per listing. As opendea is allowing relisting without paying gas fees, if NFTs that are currently worth over $50,000 were ever listed for sale at $20 a year ago, the $20 listing is still present.

Another concern is when the listing is cancelled it can be exploited in the
 
 blockchain 
Blockchain

Blockchain comprises a digital network of blocks with a comprehensive ledger of transactions made in a cryptocurrency such as Bitcoin or other altcoins.One of the signature features of blockchain is that it is maintained across more than one computer. The ledger can be public or private (permissioned.) In this sense, blockchain is immune to the manipulation of data making it not only open but verifiable. Because a blockchain is stored across a network of computers, it is very difficult to tamper with. The Evolution of BlockchainBlockchain was originally invented by an individual or group of people under the name of Satoshi Nakamoto in 2008. The purpose of blockchain was originally to serve as the public transaction ledger of Bitcoin, the world’s first cryptocurrency.In particular, bundles of transaction data, called “blocks”, are added to the ledger in a chronological fashion, forming a “chain.” These blocks include things like date, time, dollar amount, and (in some cases) the public addresses of the sender and the receiver.The computers responsible for upholding a blockchain network are called “nodes.” These nodes carry out the duties necessary to confirm the transactions and add them to the ledger. In exchange for their work, the nodes receive rewards in the form of crypto tokens.By storing data via a peer-to-peer network (P2P), blockchain controls for a wide range of risks that are traditionally inherent with data being held centrally.Of note, P2P blockchain networks lack centralized points of vulnerability. Consequently, hackers cannot exploit these networks via normalized means nor does the network possess a central failure point.In order to hack or alter a blockchain’s ledger, more than half of the nodes must be compromised. Looking ahead, blockchain technology is an area of extensive research across multiple industries, including financial services and payments, among others.

Blockchain comprises a digital network of blocks with a comprehensive ledger of transactions made in a cryptocurrency such as Bitcoin or other altcoins.One of the signature features of blockchain is that it is maintained across more than one computer. The ledger can be public or private (permissioned.) In this sense, blockchain is immune to the manipulation of data making it not only open but verifiable. Because a blockchain is stored across a network of computers, it is very difficult to tamper with. The Evolution of BlockchainBlockchain was originally invented by an individual or group of people under the name of Satoshi Nakamoto in 2008. The purpose of blockchain was originally to serve as the public transaction ledger of Bitcoin, the world’s first cryptocurrency.In particular, bundles of transaction data, called “blocks”, are added to the ledger in a chronological fashion, forming a “chain.” These blocks include things like date, time, dollar amount, and (in some cases) the public addresses of the sender and the receiver.The computers responsible for upholding a blockchain network are called “nodes.” These nodes carry out the duties necessary to confirm the transactions and add them to the ledger. In exchange for their work, the nodes receive rewards in the form of crypto tokens.By storing data via a peer-to-peer network (P2P), blockchain controls for a wide range of risks that are traditionally inherent with data being held centrally.Of note, P2P blockchain networks lack centralized points of vulnerability. Consequently, hackers cannot exploit these networks via normalized means nor does the network possess a central failure point.In order to hack or alter a blockchain’s ledger, more than half of the nodes must be compromised. Looking ahead, blockchain technology is an area of extensive research across multiple industries, including financial services and payments, among others.
Read this Term
by frontrunning. When an old listing is manually cancelled by the NFT owner, it can be exploited in the block via bots.

When the cancellation is in the block and yet to be confirmed, it can be exploited by executing the sale in the same block. For example, if an NFT that is currently worth $50,000 was ever listed for $10 and the owner cancels the listing, before it is confirmed in the block hackers may execute the sale of $10 in the same block before it is confirmed (‘frontrunning’).

Opensea’s upgrade is meant to tackle these issues by ensuring old listings will expire. However, due to the short notice hackers used a
 
 phishing 
Phishing

Phishing is a form of cyber-attack in which fake websites, emails, and text messages are used to elicit personal data. The most common targets in this assault are passwords, private cryptocurrency keys, and credit card details.Phishers disguise themselves as reputable businesses and other types of entities. In certain instances, reputable government organizations or authorities are impersonated in order to collect this data.Because phishing relies on psychological manipulation rather than technological skill, it is considered to be a social engineering attack. The most common methods for phishing are email, telephone, or text message.How to Defend Against Phishing Attacks?Every phishing attempt has a few basic things in common, which individuals need to be aware of.You should always be on the lookout for offers that are overly lucrative or too good to be true. Click-bait titles or rewards and prizes without any context are red flags.Additionally, a sense of urgency should always be approached with caution. A favorite tactic amongst cybercriminals is to ask you to act fast because the super deals are only for a limited time.Finally, individuals should always be mindful of unusual senders and questionable attachments or hyperlinks. Simply hovering over a link shows you the actual URL where you will be directed upon clicking on it. If anything seems out of the ordinary, unexpected, or simply suspicious it is best to avoid clicking on any links. In the cryptocurrency world, phishing attacks come in forms such as fake wallets that unsuspectingly collect users’ private keys.Fake exchange login pages that collect users’ login data, and fake wallet seed generators that create and then collect the regenerative phrases used to make cryptocurrency wallets.

Phishing is a form of cyber-attack in which fake websites, emails, and text messages are used to elicit personal data. The most common targets in this assault are passwords, private cryptocurrency keys, and credit card details.Phishers disguise themselves as reputable businesses and other types of entities. In certain instances, reputable government organizations or authorities are impersonated in order to collect this data.Because phishing relies on psychological manipulation rather than technological skill, it is considered to be a social engineering attack. The most common methods for phishing are email, telephone, or text message.How to Defend Against Phishing Attacks?Every phishing attempt has a few basic things in common, which individuals need to be aware of.You should always be on the lookout for offers that are overly lucrative or too good to be true. Click-bait titles or rewards and prizes without any context are red flags.Additionally, a sense of urgency should always be approached with caution. A favorite tactic amongst cybercriminals is to ask you to act fast because the super deals are only for a limited time.Finally, individuals should always be mindful of unusual senders and questionable attachments or hyperlinks. Simply hovering over a link shows you the actual URL where you will be directed upon clicking on it. If anything seems out of the ordinary, unexpected, or simply suspicious it is best to avoid clicking on any links. In the cryptocurrency world, phishing attacks come in forms such as fake wallets that unsuspectingly collect users’ private keys.Fake exchange login pages that collect users’ login data, and fake wallet seed generators that create and then collect the regenerative phrases used to make cryptocurrency wallets.
Read this Term
attack to maliciously obtain the NFTs.

The Opensea Hack

The email announced the migration to the new smart contract. By clicking on ‘Get Started’ the user granted authorization to the hackers that drained the account of the NFTs.

nft phishing attack

source: etherscan

Dozens of NFT holders were victimized by the phishing attack. The mutant ape yacht club NFTs, bored apes (BAYC) and Azuki are just some of the NFTs that are now owned by the hackers.

BoredApeYachClub #1277 that was last sold for 100 ETH (approximately $290,000) is among the NFTs that were stolen in the phishing attack.

opensea phishing attack bored ape

Opensea issued the following statement, ‘We are actively investigating rumors of an exploit associated with OpenSea related smart contracts. This appears to be a phishing attack originating outside of OpenSea’s website.’

Despite the statement and the circulation of the news NFTs are still being transferred to the malicious address at the time of this writing. The valued of the stolen NFTs is estimated to be over $1.6 million.

Hackers stole highly valued Non-Fungible Tokens (NFTs) from opensea. It appears the hackers exploited an upgrade from opensea to a new smart contract by commencing a phishing attack.

Opensea issued an upgrade a couple of days ago, requesting users to migrate their listings. ‘In 1 week, at 2pm ET on Friday, February 25, any listings you haven’t migrated will expire. If you miss the migration window, you’ll be able to re-list any expired listings without incurring additional fees (including gas fees).’

Due to the short notice it allowed hackers to exploit the upgrade notification that was sent via email to all users in the NFT marketplace.

openea smart contract update twitter

source: twitter

Opensea Old Listings Fix

The upgrade is meant to solve old issues that are caused by old listings. If a trader lists an NFT for sale in opensea gas fees are required for the listing.

Let’s take a scenario where the trader lists an NFT for 1 ETH, gas fees were paid. When the trader wishes to relist the NFT for 2 ETH, opensea allows it to be relisted without an additional charge of gas fees.

However, the old listing (1 ETH) is never really cancelled. In order to cancel the old listing gas fees are required per listing. As opendea is allowing relisting without paying gas fees, if NFTs that are currently worth over $50,000 were ever listed for sale at $20 a year ago, the $20 listing is still present.

Another concern is when the listing is cancelled it can be exploited in the
 
 blockchain 
Blockchain

Blockchain comprises a digital network of blocks with a comprehensive ledger of transactions made in a cryptocurrency such as Bitcoin or other altcoins.One of the signature features of blockchain is that it is maintained across more than one computer. The ledger can be public or private (permissioned.) In this sense, blockchain is immune to the manipulation of data making it not only open but verifiable. Because a blockchain is stored across a network of computers, it is very difficult to tamper with. The Evolution of BlockchainBlockchain was originally invented by an individual or group of people under the name of Satoshi Nakamoto in 2008. The purpose of blockchain was originally to serve as the public transaction ledger of Bitcoin, the world’s first cryptocurrency.In particular, bundles of transaction data, called “blocks”, are added to the ledger in a chronological fashion, forming a “chain.” These blocks include things like date, time, dollar amount, and (in some cases) the public addresses of the sender and the receiver.The computers responsible for upholding a blockchain network are called “nodes.” These nodes carry out the duties necessary to confirm the transactions and add them to the ledger. In exchange for their work, the nodes receive rewards in the form of crypto tokens.By storing data via a peer-to-peer network (P2P), blockchain controls for a wide range of risks that are traditionally inherent with data being held centrally.Of note, P2P blockchain networks lack centralized points of vulnerability. Consequently, hackers cannot exploit these networks via normalized means nor does the network possess a central failure point.In order to hack or alter a blockchain’s ledger, more than half of the nodes must be compromised. Looking ahead, blockchain technology is an area of extensive research across multiple industries, including financial services and payments, among others.

Blockchain comprises a digital network of blocks with a comprehensive ledger of transactions made in a cryptocurrency such as Bitcoin or other altcoins.One of the signature features of blockchain is that it is maintained across more than one computer. The ledger can be public or private (permissioned.) In this sense, blockchain is immune to the manipulation of data making it not only open but verifiable. Because a blockchain is stored across a network of computers, it is very difficult to tamper with. The Evolution of BlockchainBlockchain was originally invented by an individual or group of people under the name of Satoshi Nakamoto in 2008. The purpose of blockchain was originally to serve as the public transaction ledger of Bitcoin, the world’s first cryptocurrency.In particular, bundles of transaction data, called “blocks”, are added to the ledger in a chronological fashion, forming a “chain.” These blocks include things like date, time, dollar amount, and (in some cases) the public addresses of the sender and the receiver.The computers responsible for upholding a blockchain network are called “nodes.” These nodes carry out the duties necessary to confirm the transactions and add them to the ledger. In exchange for their work, the nodes receive rewards in the form of crypto tokens.By storing data via a peer-to-peer network (P2P), blockchain controls for a wide range of risks that are traditionally inherent with data being held centrally.Of note, P2P blockchain networks lack centralized points of vulnerability. Consequently, hackers cannot exploit these networks via normalized means nor does the network possess a central failure point.In order to hack or alter a blockchain’s ledger, more than half of the nodes must be compromised. Looking ahead, blockchain technology is an area of extensive research across multiple industries, including financial services and payments, among others.
Read this Term
by frontrunning. When an old listing is manually cancelled by the NFT owner, it can be exploited in the block via bots.

When the cancellation is in the block and yet to be confirmed, it can be exploited by executing the sale in the same block. For example, if an NFT that is currently worth $50,000 was ever listed for $10 and the owner cancels the listing, before it is confirmed in the block hackers may execute the sale of $10 in the same block before it is confirmed (‘frontrunning’).

Opensea’s upgrade is meant to tackle these issues by ensuring old listings will expire. However, due to the short notice hackers used a
 
 phishing 
Phishing

Phishing is a form of cyber-attack in which fake websites, emails, and text messages are used to elicit personal data. The most common targets in this assault are passwords, private cryptocurrency keys, and credit card details.Phishers disguise themselves as reputable businesses and other types of entities. In certain instances, reputable government organizations or authorities are impersonated in order to collect this data.Because phishing relies on psychological manipulation rather than technological skill, it is considered to be a social engineering attack. The most common methods for phishing are email, telephone, or text message.How to Defend Against Phishing Attacks?Every phishing attempt has a few basic things in common, which individuals need to be aware of.You should always be on the lookout for offers that are overly lucrative or too good to be true. Click-bait titles or rewards and prizes without any context are red flags.Additionally, a sense of urgency should always be approached with caution. A favorite tactic amongst cybercriminals is to ask you to act fast because the super deals are only for a limited time.Finally, individuals should always be mindful of unusual senders and questionable attachments or hyperlinks. Simply hovering over a link shows you the actual URL where you will be directed upon clicking on it. If anything seems out of the ordinary, unexpected, or simply suspicious it is best to avoid clicking on any links. In the cryptocurrency world, phishing attacks come in forms such as fake wallets that unsuspectingly collect users’ private keys.Fake exchange login pages that collect users’ login data, and fake wallet seed generators that create and then collect the regenerative phrases used to make cryptocurrency wallets.

Phishing is a form of cyber-attack in which fake websites, emails, and text messages are used to elicit personal data. The most common targets in this assault are passwords, private cryptocurrency keys, and credit card details.Phishers disguise themselves as reputable businesses and other types of entities. In certain instances, reputable government organizations or authorities are impersonated in order to collect this data.Because phishing relies on psychological manipulation rather than technological skill, it is considered to be a social engineering attack. The most common methods for phishing are email, telephone, or text message.How to Defend Against Phishing Attacks?Every phishing attempt has a few basic things in common, which individuals need to be aware of.You should always be on the lookout for offers that are overly lucrative or too good to be true. Click-bait titles or rewards and prizes without any context are red flags.Additionally, a sense of urgency should always be approached with caution. A favorite tactic amongst cybercriminals is to ask you to act fast because the super deals are only for a limited time.Finally, individuals should always be mindful of unusual senders and questionable attachments or hyperlinks. Simply hovering over a link shows you the actual URL where you will be directed upon clicking on it. If anything seems out of the ordinary, unexpected, or simply suspicious it is best to avoid clicking on any links. In the cryptocurrency world, phishing attacks come in forms such as fake wallets that unsuspectingly collect users’ private keys.Fake exchange login pages that collect users’ login data, and fake wallet seed generators that create and then collect the regenerative phrases used to make cryptocurrency wallets.
Read this Term
attack to maliciously obtain the NFTs.

The Opensea Hack

The email announced the migration to the new smart contract. By clicking on ‘Get Started’ the user granted authorization to the hackers that drained the account of the NFTs.

nft phishing attack

source: etherscan

Dozens of NFT holders were victimized by the phishing attack. The mutant ape yacht club NFTs, bored apes (BAYC) and Azuki are just some of the NFTs that are now owned by the hackers.

BoredApeYachClub #1277 that was last sold for 100 ETH (approximately $290,000) is among the NFTs that were stolen in the phishing attack.

opensea phishing attack bored ape

Opensea issued the following statement, ‘We are actively investigating rumors of an exploit associated with OpenSea related smart contracts. This appears to be a phishing attack originating outside of OpenSea’s website.’

Despite the statement and the circulation of the news NFTs are still being transferred to the malicious address at the time of this writing. The valued of the stolen NFTs is estimated to be over $1.6 million.

Original Source