Are Your NFTs Safe? OpenSea Phishing Attack Raises Concerns

·6 min read

OpenSea, one of the largest digital collectible marketplaces, has apparently fallen prey to hackers on Saturday, reporting over 250 non-fungible tokens (NFTs) stolen, including tokens from the famous Bored Ape Yacht Club and Decentraland.

The ‘phishing attack’, as confirmed by the co-founder and CEO of OpenSea Devin Finzer in a Tweet, said that the attacker made $1.7 million in Ether from selling some stolen NFTs.

A few days ago, OpenSea announced an upgrade to smart contract, where users have to “migrate” their listed NFTs from Ethereum blockchain to a new smart contract.  The marketplace set a one-week deadline to delist inactive NFTs on the OpenSea platform.

It is interesting to note that all stolen NFTs were allegedly from users who manually migrated on OpenSea.

However, the marketplace’s CTO Nadav Hollander denied saying that the malicious orders were executed before the migration and are “unlikely” to be related to OpenSea’s migration flow.

Hawk-Eyed Hackers and the Burgeoning Attacks

How easy it is for hackers to steal NFTs? NFT hacks and scams aren’t new and many collectors have lost their entire NFTs owned.

For example, in March 2021, several user accounts on Nifty Gateway were hacked. However, the money was paid back to the users, but the NFTs were just lost. The hackers reportedly sold them on another popular marketplace.

Nifty claimed at the time that the affected users didn’t have two-factor authentication turned on and that “access was obtained via valid account credentials.”

Also, there were complaints on deadlinks or digital wallets of merchants that disappeared, leaving collectors to lose hundreds of thousands of dollars worth of NFTs.

These particular incidents, however, show that hackers exploit loose security measures.

One of the easiest ways that hackers find to grab the opportunity is accessing the secret phrase – like a password – that allows a user to recover owned digital assets on a blockchain even if they lose access to their wallet. Scammers easily find the phrase if the victim has stored it on their computer.

Data from blockchain analytics firm Chainalysis showed that last year alone, at least $44.2 billion worth of cryptocurrency was sent to the two types of Ethereum smart contracts “associated with NFT marketplaces and collections.”

The report revealed that over $3 million of crypto in NFTs were sent over illicit addresses in 2021.

How To Safeguard NFTs

Users should always be vigilant when receiving requests to sign their wallets online. They must review what is being requested and consider if the request is suspicious.

In the case of OpenSea attack, affected users have signed an order somewhere at some point in time, without realizing the trick used by bad actors.

In order to protect NFTs and avoid getting hacked or scammed –

1. Use hardware wallets

According to experts, it is not safe to hold cryptos such as Bitcoin and Litecoin, and NFT assets in one wallet. They suggest keeping valuable assets such as NFTs in a hardware wallet, which is basically a two-factor authentication.

This means that the private keys are disconnected from the internet and are offline so that they can’t be accessed by tricksters.

Few hardware wallets include Ledger Nano X, Trezor Model One, and Grid Plus Lattice 1.

2. Never share screens

It is often common that people share screens of NFTs they hold or their wallet details while discussing issues online or working collaboratively.

This is another loophole where scammers barge in, impersonating themselves as NFT creators or others to gain trust. They can manipulate users to share their secret recovery phrase – backup to all crypto-assets managed, thus gaining full access to their wallets.

One such incident was reported by an NFT collector, where the user lost around 250 ETH due to a “socially manipulated” scam, requesting the user to share screens with the perpetrators.

The hackers impersonated themselves to be the founders of the famous Bored Ape Yacht Club.

3. Beware of fake minting sites, deadllinks, and fake accounts

Fake minting sites are abundant on Twitter and Discord that look very much identical to the real ones. When the user tries to mint an NFT from those bogus sites, wallet security may get compromised and assets may be wiped off. Such links are shared by legit-looking accounts or people via chats.

Last year, few NFT owners complained about expensive NFTs vanishing from links, and no traces of purchasing history were found. These are called “deadlinks.”

“Having a system that is managed with professional validators makes it feasible to fully protect consumers,” Tom Anderson, CEO of NFTs and blockchain security firm Devvio, told FX Empire.

“On DevvX – the blockchain platform, we manage the assets directly in addition to the blockchain, so there is no risk that an asset will not be available after it is purchased,” he said.

4. Double-check OpenSea offers and email links

Fake notifications impersonating popular marketplaces like OpenSea, emails having or Hotmail address, claiming to be from NFT marketplace, creating identical copies of popular collectibles, are all common potholes dug by hackers for victims to fall.

One must be cautious of the links and look for any suspicious activities. Above all, users should never share or store the secret phrase or recovery key on their computer.

NFT sales skyrocketed in 2021, and present huge upside potential in the coming future for digital creators. However, this new space is open for scammers alike. That said, taking appropriate precautions to protect digital artworks and assets will assure users are not in the hands of bad actors.

This article was originally posted on FX Empire