It feels like every single day we hear about another major crypto hack. It really gives a bad name to the crypto space, but it's not something easily prevented. When you have a system that's not regulated or governed, you're going to have a lot of bad actors that want to exploit the system in any way they can. Case in point - OpenSea's recent hack.
The "Hack"
OpenSea recently was attacked and about $1.7 million worth of NFTs and crypto were stolen from users' wallets. This technically was not a hack on the entire website, but a phishing attack. A phishing attack is one of the most common forms of attacks and it usually happens via email. The attacker creates a fake link to the website and all that link does is get approval from your wallet to execute transactions. Once the victim has signed the transaction, the attacker stores that signature and can use it any time until the permission is revoked. This sort of attack is more social engineering than anything. Convincing a victim to click on a malicious link is a lot easier than trying to hack an entire website. These sorts of things happen via email, Discord, Telegram, Twitter, and many more platforms where users are able to receive messages. This is why it's important to always be on alert and never click on a link you receive without contacting the website or platform first! Let's take a look at how this went down.
About a month ago, the attacker create the malicious contract and deployed it. The goal here is simple. Convince as many victims as possible to sign the malicious contract before executing the final attack. Once the contract was created, the phishing emails started going out. I wasn't able to find an image of one of the emails, but it was pretty simple. It looked as if it came from OpenSea and it was a link for users to "migrate to their new contract address".
What the link actually did was create a sale of the victims' NFTs for 0 ETH to the attacker. Pretty fuckin slick, I'm not gunna lie. This is what if you ever receive an email from any platform that has to do with money... Don't click the link. Don't approve anything. Contact the platform first to verify that it's legit. Phishing attacks 101.
Once the attacker was satisfied with the number of victims' signatures, it was time to execute the attack. Because all the signatures were stored on the attacker's server, he was able to execute whenever he wanted. The attacker calls the smart contract and bam. All the victims' NFTs are sold to the attacker for 0 ETH and all he pays is gas fees. A small price when you're going to rake in $1.7 million in NFTs. This was a very well-planned attack and not something that was just done over night. One thing we can all do as NFT collectors is revoke access to our NFTs via EtherScan. Once you link your wallet, you can see all of your approvals and revoke them as you please. This is a good thing to do even if you were not affected by the attack. As you can see below, the attacker was able to rake in 150 ETH at one point and is still holding some NFTs.
After stealing all this money, it only cost the attacker $20,000 in gas fees. Man. What a payday.
A shit ton of NFTs were stolen. Sheesh! Apparently only about 30 victims were hit.
A ton of them are still listed for sale, so I hope that OpenSea will blacklist them.
This attack is still being investigated and if you wanna see a more technical breakdown of how this happened, check out this Twitter thread. I sincerely hope OpenSea is able to help the victims and make them whole. I don't know though, it seems they are trying to say it isn't their fault.
We'll see what happens. In the meantime, revoke all access via EtherScan. Be safe out there.
Thanks for reading! Much love.
Links 'n Shit
| Play to Earn | Read emails, Earn Crypto | Get free crypto every day | Get a WAX wallet |
|---|---|---|---|
| Gods Unchained | ListNerds | PipeFlare | WAX.io |
| Splinterlands | GoodDollar | ||
| Rising Star | FoldApp |