OpenSea NFT Hack Exposes Web3 Self-Custody Risks

Hackers stole hundreds of high-value NFTs from popular collections such as Bored Ape Yacht Club, Azuki, and NFT Worlds.

OpenSea users targeted by NFT hack

Last night, hackers stole millions of dollars worth of NFTs from OpenSea users.

The attackers targeted an estimated 32 collectors. Top NFT Marketplace I ran out of ethereum wallet. On-chain data posted by Peckshield shows he stole over 250 pieces from high-value collections such as Bored Ape Yacht Club, Doodles, Azuki, and NFT Worlds. Based on the lowest price of the collection, crypto briefing We estimate the total shipment to be worth over 1,000 Ethereum, or $3 million.of attacker’s wallet It currently contains 641 Ethereum worth about $1.7 million and some of the stolen NFTs.

News of the attack first surfaced on Twitter late Saturday when a user reported suspicious activity related to his account. The exploit was initially rumored to be related to Smart He contract, an OpenSea user migrating his NFTs in recent weeks. However, OpenSea points out the possibility of a phishing attack.

We are actively investigating rumors of exploits related to OpenSea-related smart contracts. This appears to be a phishing attack originating from something other than his website on OpenSea.don’t click on external links https://t.co/3qvMZjxmDB.

— Opensea (@opensea) February 20, 2022

The team announced on Twitter early Sunday morning that it was “actively investigating” the rumor and that it was likely caused by a “phishing attack outside of OpenSea’s website.” OpenSea CEO Devin Finzer Said The team revealed that they are “doing an all-out deck investigation,” and that 32 affected users were hit with phishing attacks.early this morning, finzer repeated his beliefs It was a phishing attack. “I believe this is a phishing attack,” he wrote. His PeckShield, a security analytics firm, also investigated the incident, shared a view Phishing scams are likely the root cause.

NFT hack exposes Web3 risks

A full post-mortem has not yet been published, but Ethereum users Hoover When isotile A tweet storm was posted detailing the likely moves of the attacker. On-chain data shows that Smart deployed his contract on January 22nd, which uses a call to OpenSea’s contract. By sending an email replicating one sent by OpenSea, it is believed that the user was tricked into signing a transaction that transferred his NFTs to the hacker’s wallet. After tricking enough of his NFT collectors into signing malicious transactions, they carried out the attack and depleted the wallet. While no phishing attacks have yet been confirmed, this incident highlights the risks of using Web3 to sign malicious Ethereum transactions, which can have disastrous consequences.

In recent months, a number of Bored Ape Yacht Club owners have lost their high-value NFTs to similar attacks after signing out of their assets. As NFTs gain mainstream interest and their prices soar, hackers are increasingly turning to space to target collectors. Most affected OpenSea users have fallen victim to phishing attacks that trick them into signing malicious contracts. For all the benefits of self-custody wallets and decentralization, attacks like this raise questions about whether cryptocurrencies and his NFTs are truly ready for mass adoption. Even if a cryptocurrency holder uses his hardware wallet to store his assets, he is not necessarily protected from contract fraud. For collectors, NFT hacks like this are a reminder of the importance of staying alert in Web3. Especially when it comes to checking emails and signing transactions.

Disclosure: At the time of writing, the creator of this feature owned ETH and several other cryptocurrencies.