OpenSea, one of the largest digital collectible marketplaces, has apparently fallen prey to hackers on Saturday, reporting over 250 non-fungible tokens (NFTs) stolen, including tokens from the famous Bored Ape Yacht Club and Decentraland.
The ‘phishing attack’, as confirmed by the co-founder and CEO of OpenSea Devin Finzer in a Tweet, said that the attacker made $1.7 million in Ether from selling some stolen NFTs.
Importantly, rumors that this was a $200 million hack are false. The attacker has $1.7 million of ETH in his wallet from selling some of the stolen NFTs.
— Devin Finzer (dfinzer.eth) (@dfinzer) February 20, 2022
A few days ago, OpenSea announced an upgrade to smart contract, where users have to “migrate” their listed NFTs from Ethereum blockchain to a new smart contract. The marketplace set a one-week deadline to delist inactive NFTs on the OpenSea platform.
It is interesting to note that all stolen NFTs were allegedly from users who manually migrated on OpenSea.
However, the marketplace’s CTO Nadav Hollander denied saying that the malicious orders were executed before the migration and are “unlikely” to be related to OpenSea’s migration flow.
– None of the malicious orders were executed against the new (Wyvern 2.3) contract, indicating that they were signed before the migration and are unlikely to be related to OpenSea’s migration flow.
— Nadav Hollander (@NadavAHollander) February 20, 2022
Hawk-Eyed Hackers and the Burgeoning Attacks
How easy it is for hackers to steal NFTs? NFT hacks and scams aren’t new and many collectors have lost their entire NFTs owned.
For example, in March 2021, several user accounts on Nifty Gateway were hacked. However, the money was paid back to the users, but the NFTs were just lost. The hackers reportedly sold them on another popular marketplace.
Nifty claimed at the time that the affected users didn’t have two-factor authentication turned on and that “access was obtained via valid account credentials.”
Also, there were complaints on deadlinks or digital wallets of merchants that disappeared, leaving collectors to lose hundreds of thousands of dollars worth of NFTs.
These particular incidents, however, show that hackers exploit loose security measures.
One of the easiest ways that hackers find to grab the opportunity is accessing the secret phrase – like a password – that allows a user to recover owned digital assets on a blockchain even if they lose access to their wallet. Scammers easily find the phrase if the victim has stored it on their computer.
Data from blockchain analytics firm Chainalysis showed that last year alone, at least $44.2 billion worth of cryptocurrency was sent to the two types of Ethereum smart contracts “associated with NFT marketplaces and collections.”
The report revealed that over $3 million of crypto in NFTs were sent over illicit addresses in 2021.
How To Safeguard NFTs
Users should always be vigilant when receiving requests to sign their wallets online. They must review what is being requested and consider if the request is suspicious.
In the case of OpenSea attack, affected users have signed an order somewhere at some point in time, without realizing the trick used by bad actors.
– All of the malicious orders contain valid signatures from the affected users, indicating that they did sign an order somewhere, at some point in time. However, none of these orders were broadcasted to OpenSea at the time of signing.
— Nadav Hollander (@NadavAHollander) February 20, 2022
In order to protect NFTs and avoid getting hacked or scammed –
1. Use hardware wallets
According to experts, it is not safe to hold cryptos such as Bitcoin and Litecoin, and NFT assets in one wallet. They suggest keeping valuable assets such as NFTs in a hardware wallet, which is basically a two-factor authentication.
This means that the private keys are disconnected from the internet and are offline so that they can’t be accessed by tricksters.
Few hardware wallets include Ledger Nano X, Trezor Model One, and Grid Plus Lattice 1.
2. Never share screens
It is often common that people share screens of NFTs they hold or their wallet details while discussing issues online or working collaboratively.
This is another loophole where scammers barge in, impersonating themselves as NFT creators or others to gain trust. They can manipulate users to share their secret recovery phrase – backup to all crypto-assets managed, thus gaining full access to their wallets.
One such incident was reported by an NFT collector, where the user lost around 250 ETH due to a “socially manipulated” scam, requesting the user to share screens with the perpetrators.
I was scammed / socially manipulated / hacked on @Discord and @OpenSea and lost three @BoredApeYC, four @0n1Force, and three @worldofwomennft totally roughly 250 eth in value by getting tricked into exposing the Metamask QR Code in the Chrome Browser Extension. I’ve never felt pic.twitter.com/aiaENpwLVP
— Sohrob.eth Farudi 🍌 ⭕️ (@sohrobf) August 25, 2021
The hackers impersonated themselves to be the founders of the famous Bored Ape Yacht Club.
3. Beware of fake minting sites, deadllinks, and fake accounts
Fake minting sites are abundant on Twitter and Discord that look very much identical to the real ones. When the user tries to mint an NFT from those bogus sites, wallet security may get compromised and assets may be wiped off. Such links are shared by legit-looking accounts or people via chats.
Last year, few NFT owners complained about expensive NFTs vanishing from links, and no traces of purchasing history were found. These are called “deadlinks.”
“Having a system that is managed with professional validators makes it feasible to fully protect consumers,” Tom Anderson, CEO of NFTs and blockchain security firm Devvio, told FX Empire.
“On DevvX – the blockchain platform, we manage the assets directly in addition to the blockchain, so there is no risk that an asset will not be available after it is purchased,” he said.
4. Double-check OpenSea offers and email links
Fake notifications impersonating popular marketplaces like OpenSea, emails having @gmail.com or Hotmail address, claiming to be from NFT marketplace, creating identical copies of popular collectibles, are all common potholes dug by hackers for victims to fall.
Be careful out there apes, looks like a legit offer but the link tries to connect your wallet. Always go through OpenSea and block firstname.lastname@example.org pic.twitter.com/M5TFxT7i0z
— Javier Lovato 🍌 (@JavierLovato127) September 15, 2021
One must be cautious of the links and look for any suspicious activities. Above all, users should never share or store the secret phrase or recovery key on their computer.
NFT sales skyrocketed in 2021, and present huge upside potential in the coming future for digital creators. However, this new space is open for scammers alike. That said, taking appropriate precautions to protect digital artworks and assets will assure users are not in the hands of bad actors.
This article was originally posted on FX Empire