Hackers stole $1.7Million in NFTs from Opensea using Phishing Attacks.

All in a simpler form, the OpenSea victims signed a partial contract for the NFT deal, granting the attacker broad authority but leaving much of it blank — akin to signing a blank check. As a result, the hackers could transfer ownership of the NFTs without having to pay anything.

Major Central NFT marketplace OpenSea has announced that an estimated $1.7 Million of ETH was stolen in a weekend attack.

“This appears to be a phishing attempt, as far as we can determine. It does not seem to be linked to the OpenSea website. So far, it seems that 32 users have signed a malicious payload sent by an attacker, and some of their NFTs have been taken” in a series of tweets, OpenSea CEO Devin Finzer stated.

In subsequent tweets, Finzer denied claims that the NFT haul was worth up to $200 million and indicated that the number of victims had been reduced to 17 people.
“The attacker has $1.7 million in ETH in his wallet from the sale of part of the stolen NFTs,” he explained.

The Dive
The thieves fooled OpenSea users into part-signing smart contracts to authorize the trades in the invasion, which took place on Saturday between 5 and 8 p.m. ET. It happened on Gmail utilizing an electronic trick called DEEP FAKE emails.

It is basically an email, but the attacker utilizes HTML and mask to make it look like authorized mail. By using this trick, they can disguise themselves as any companies representative and can use any email address they want.
They sent contract emails to victims then they finished the contract procedure by migrating the NFTs, or non-fungible tokens, to their own address.
According to OpenSea, the hackers utilized “phishing,” in which an official communication is disguised to look like the actual thing, to trick NFT owners into signing.

Comparision
The loss is minor compared to other high-profile thefts, such as Solana’s $322 million wormhole bridge attack, which also exploited a smart contract weakness. However, it is an indication that such crime is growing more widespread, as revealed by a recent Chainalysis analysis, which found hackers nabbed $14 billion in cryptocurrency in 2021, an increase of 80 percent.
Persistent security flaws, several analysts have cautioned, might constitute a barrier to widespread crypto adoption because a hindrance is being passed on to the customer.

Wyvern Protocol
According to Hart Lambur, cofounder of the UMA protocol, the risk of smart contract-based assaults in decentralized banking is relatively high, particularly in newborn networks like Solana.
“Unfortunately, smart contract issues are a common concern with DeFi,” Lambur recently told Insider.
The OpenSea attack took use of the Wyvern Protocol, which supports most NFT smart contract procedures. Because the protocol is open source, the script is standard and freely available to the public.
According to a FAQ on the Wyvern Protocol website, there are three ways to authorize an order.

“Orders must always be allowed by the maker address, which is the owner of the proxy contract that will perform the call. Authorization can take three forms: signed message, pre-approval, and match-time approval.”

After reviewing the malicious orders, Hollander shared technical run down in floods of tweets. First, he shared that all of the malicious orders were genuine, meaning NFT holders did sign an order somewhere at some point, though none of those orders were transmitted to OpenSea.

All in a simpler form, the OpenSea victims signed a partial contract for the NFT deal, granting the attacker broad authority but leaving much of it blank — akin to signing a blank check. As a result, the hackers could transfer ownership of the NFTs without having to pay anything.

Who’s to blame?
As the name suggests, Bad Actors will always search for loopholes to exploit and gain access and money. When the NFT market bloomed, it was a gold mine for them. So yeah, it’s our and platforms’ responsibility to stay safe and secure.

From Opensea’s point of view, there has been a growing emphasis on not sharing seed words or submitting unknown transactions in their industry. On the other hand, signing off-chain communications takes the same level of thought.
But the Opensea users think that Opensea should make the migrating process much smoother as they get errors most of the time.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Discover

MetaVerse Zeus

spot_imgspot_img

Latest

North Korean Hacker hits again: Inside a $500M crypto theft.

Hackers stole more than $500 million from the networks of cryptocurrency network Ronin late last month. It is estimated to be the second-largest cryptocurrency...

Hacker uses FAKE FILE EXTENSION NFT Scam to drain your cryptos and NFT.

In this fake file extension NFT scam Hackers used .scr file. Screen Saver (.scr) files are executables that can run any code; they are...

Cryptopunks NFT pulled from  Sotheby’s auction in February were used as collateral for an $8.3 million loan.

With Cryptopunk NFTs as collateral loans, 0x650d hasn't been the first person to get a big loan. This is, however, the largest known loan...

CAN THE NFT MARKET DROP EVEN LOWER?

The market circumstances for non-fungible tokens (NFTs) in Summer 2022 have not been perfect. As NFT owners scurry back into dollars, several significant projects...

Women “groped” on Horizon Worlds Metaverse

A beta tester claims she was virtually "groped" on Meta's Horizon Worlds metaverse VR platform, originally known as Facebook. Meta revealed the incident on December...