Phishing Attack Tricks 32 OpenSea Users Out of 254 NFTs (theverge.com) 35
"On Saturday, attackers stole hundreds of NFTs from OpenSea users, causing a late-night panic among the site's broad user base," reports the Verge.
"A spreadsheet compiled by the blockchain security service PeckShield counted 254 tokens stolen over the course of the attack, including tokens from Decentraland and Bored Ape Yacht Club." The bulk of the attacks took place between 5PM and 8PM ET, targeting 32 users in total. Molly White, who runs the blog Web3 is Going Great, estimated the value of the stolen tokens at more than $1.7 million.
The attack appears to have exploited a flexibility in the Wyvern Protocol, the open-source standard underlying most NFT smart contracts, including those made on OpenSea. One explanation (linked by CEO Devin Finzer on Twitter) described the attack in two parts: first, targets signed a partial contract, with a general authorization and large portions left blank. With the signature in place, attackers completed the contract with a call to their own contract, which transferred ownership of the NFTs without payment. In essence, targets of the attack had signed a blank check — and once it was signed, attackers filled in the rest of the check to take their holdings.
"I checked every transaction," said the user, who goes by Neso. "They all have valid signatures from the people who lost NFTs so anyone claiming they didn't get phished but lost NFTs is sadly wrong...."
Writing on Twitter shortly before 3AM ET, OpenSea CEO Devin Finzer said the attacks had not originated from OpenSea's website, its various listing systems, or any emails from the company. The rapid pace of the attack — hundreds of transactions in a matter of hours — suggests some common vector of attack, but so far no link has been discovered.
An update to OpenSea's smart contract was scheduled the day before (to remove old and inactive listings from the platform), and the scammer mimicked a genuine OpenSea email, according to The Street. A user who posted the text of the phishing email online explains that the scammer "then got a number of people to sign permissions with WyvernExchange. No exploit, just people not reading sign permissions as normal."
CEO Finzer told Bloomberg that some of the stolen NFTs have actually been returned, with no further malicious activity seen from the attacker's account. "He also dispelled rumors of a $200 million hack, saying the attacker has $1.7 million of Ethereum in his wallet from selling some of the stolen NFTs."
And PC Magazine shares this update about the wallet: CoinDesk reports that Etherscan, which bills itself as "the Ethereum blockchain explorer," has flagged the account that appears to be connected to these NFT thefts. (The public name of which is, fittingly enough, "Fake_Phishing5169.")
"A spreadsheet compiled by the blockchain security service PeckShield counted 254 tokens stolen over the course of the attack, including tokens from Decentraland and Bored Ape Yacht Club." The bulk of the attacks took place between 5PM and 8PM ET, targeting 32 users in total. Molly White, who runs the blog Web3 is Going Great, estimated the value of the stolen tokens at more than $1.7 million.
The attack appears to have exploited a flexibility in the Wyvern Protocol, the open-source standard underlying most NFT smart contracts, including those made on OpenSea. One explanation (linked by CEO Devin Finzer on Twitter) described the attack in two parts: first, targets signed a partial contract, with a general authorization and large portions left blank. With the signature in place, attackers completed the contract with a call to their own contract, which transferred ownership of the NFTs without payment. In essence, targets of the attack had signed a blank check — and once it was signed, attackers filled in the rest of the check to take their holdings.
"I checked every transaction," said the user, who goes by Neso. "They all have valid signatures from the people who lost NFTs so anyone claiming they didn't get phished but lost NFTs is sadly wrong...."
Writing on Twitter shortly before 3AM ET, OpenSea CEO Devin Finzer said the attacks had not originated from OpenSea's website, its various listing systems, or any emails from the company. The rapid pace of the attack — hundreds of transactions in a matter of hours — suggests some common vector of attack, but so far no link has been discovered.
An update to OpenSea's smart contract was scheduled the day before (to remove old and inactive listings from the platform), and the scammer mimicked a genuine OpenSea email, according to The Street. A user who posted the text of the phishing email online explains that the scammer "then got a number of people to sign permissions with WyvernExchange. No exploit, just people not reading sign permissions as normal."
CEO Finzer told Bloomberg that some of the stolen NFTs have actually been returned, with no further malicious activity seen from the attacker's account. "He also dispelled rumors of a $200 million hack, saying the attacker has $1.7 million of Ethereum in his wallet from selling some of the stolen NFTs."
And PC Magazine shares this update about the wallet: CoinDesk reports that Etherscan, which bills itself as "the Ethereum blockchain explorer," has flagged the account that appears to be connected to these NFT thefts. (The public name of which is, fittingly enough, "Fake_Phishing5169.")
#andnothingofvaluewaslost (Score:5, Funny)
If any “news” item deserves that tag, it’s this one.
Re:#andnothingofvaluewaslost (Score:5, Insightful)
Their money was lost the moment they traded it for a blockchain entry which says they’re now the proud owner of a URL to a jpg of a dumb ape. It’s like buying the Brooklyn Bridge - the moment you made a mistake was when you gave your money to the con man, not when a mugger stole your fake “deed”.
Re:#andnothingofvaluewaslost (Score:4, Insightful)
It's a "bigger fool" scam, i.e. it's not a mistake to buy an NFT as long as there is someone else willing to pay even more for it later. You only lose if you are the last one holding it when the rug gets pulled, or it gets stolen from it.
Re: (Score:1)
it's not a mistake to buy an NFT
citation needed
I apologize (Score:1)
I apologize if someone would be upset by this, but I never had a shred of pity for people who fall for phishing attacks. "Stupidity is costly".
Re: (Score:3)
Re: (Score:2)
Nonsense. It is literally the main reason why phishing works.
That you then go onto lambasting the NFT buyers for being stupid, undermining your point.
Stupid people + greed + Dunning Kruger = success in phishing. Even the most targeted of phishing never looks 100% legit unless whatever service you're using is already compromised.
It's this attitude of hand waving away responsibility "it happens to the best of us" BS that is a major problem.
Helpful hints:
1. You are
Re: (Score:2)
You only need to be having an off day for the wrong few seconds to fall for a phishing attack. It has nothing to do with stupidity.
To rephrase, "you only need to have a few seconds of stupidity to fall for a phishing attack". It has everything to do with stupidity, if even for a few seconds.
Re:I apologize (Score:4, Insightful)
"I apologize if someone would be upset by this, but I never had a shred of pity for people who fall for NFTs. "Stupidity is costly"."
FTFY
Re: (Score:3)
I would be of the same opinion as you, but I nearly fell for one only last Thursday. It was a text message that purported to be from the English NHS asking for details about my COVID infection. I'd already started filling in the form before the alarm bell began to ring. I was taken in because, the same day, I had a positive COVID test. When I checked the text, I realised that it had been sent before I reported my result, so it was a coincidence that nearly fooled me.
Re: (Score:2)
This reminds me of that call I had from my bank, the person on the other end started "we need to confirm your identity", and I told them "no, I need to confirm YOUR identity first". They said "well, you can call this number back to verify" - that wouldn't work either, because if it's a scammer, you call them back and they will confirm it, doh.
So I called the bank's official phone number and told them what happened. Turns out that number did indeed belong to them, it was just that the person who originally c
Re: (Score:2)
Code is law (Score:3)
Oh (Score:1)
Oh no! Think of the NFTs
Re: (Score:2)
Oh no! Think of the NFTs
I'd really rather not.
NFTs stolen (Score:1)
and nothing of value was lost
When someone said.. (Score:3, Funny)
“Crime doesn’t pay”, cryptocurrency responded “hold my beer.”
Re: (Score:1)
It's not so simple for the criminals to turn the coins into dollars - that requires things like verifying identity, paying taxes, etc... until then it's just keys and hope.
LOL (Score:3)
estimated the value of the stolen tokens at more than $1.7 million.
That value was already lost.
And nothing of value was lost (Score:1)
To use the now-defunct Slashdot tag: "And nothing of value was lost."
evidence (Score:1)
There is no actual evidence of a phishing email here. Phishing seems to be a wild ass guess.
Re: (Score:2)
Not that it matters much in this case, but phishing doesn't need to be by email.
Re: (Score:2)
> An update to OpenSea's smart contract was scheduled the day before (to remove old and inactive listings from the platform), and the scammer mimicked a genuine OpenSea email, according to The Street. A user who posted the text of the phishing email online explains that the scammer "then got a number of people to sign permissions with WyvernExchange. No exploit, just people not reading sign permissions as normal."
Right, nothing to do with email....
Omg somebody stole (Score:2)
Help me out here (Score:2)
Isn't the point of the block chain that you can follow the ownership/transaction? If so, don't the legitimate owners (if they have proof of malfeasance) have a way to reclaim ownership?
Re: (Score:3)
The blockchain is the ownership authority - by design. This is one of the many issues crypto advocates apparently fail to understand; there's no recourse, nor transaction reversion. All sales are final.
Imagine if instead of NTFs we were talking about property deeds here. Yes, people are arguing for it.
Re: (Score:2)
Why not, it's basically a libertarian utopia.
Re: (Score:1)
Except OpenSea can refuse to work with blastlisted NFTs, effectively rendering them valueless.
Re: (Score:2)
Kinda makes you wonder about the whole decentralization thing for a second, doesn't it? :)
How does one steal on a blockchain? (Score:2)
We've been told for years that having no laws and no regulations was a good thing, and that access equals ownership. So if these people have access, therefore have ownership, how could they steal what they own? Perhaps lessons like this will teach cryptobros why we have laws and regulations around money and other property, if they're capable of learning that and willing to do so.
Decentralized except... (Score:1)
Funny how something that is supposed to be decentralized has a single base library responsible for the vast majority of contracts, all hosted on a single site responsible for the vast majority of NFTs...