Hackers Stole $1. 7 Million Worth of NFTs from Users of OpenSea Marketplace

OpenSea Marketplace News

Malicious actors took advantage of a smart contract upgrade process in the OpenSea NFT marketplace to carry out a phishing attack against 17 of its users that resulted in the theft of virtual assets worth about $1. 7 million.

NFTs, short for non-fungible tokens, are digital tokens that act like certificates of authenticity for, and in some cases represent ownership of, assets that range from expensive illustrations to collectibles and physical goods.

The opportunistic social engineering scam swindled the users by using the same email from OpenSea notifying users about the upgrade, with the copycat email redirecting the victims to a lookalike webpage, prompting them to sign a seemingly legitimate transaction, only to steal all the NFTs in one go.

“By signing the transaction, an atomicMatch_ request would be sent to the attacker contract,” Check Point researchers explained. The atomicMatch_ request would then be sent to the attacker contract.

OpenSea Marketplace

OpenSea’s “Wyvern” smart contract migration, which commenced on February 18 over a seven-day period until February 25 at 2:00 PM ET, is part of the New York City-based firm’s efforts to address old, existing inactive listings on the Ethereum blockchain.

OpenSea Marketplace

The company said it’s still investigating the exact source of the attack, noting that the malicious orders had been signed by the victims before OpenSea carried out its migration. “The attack no longer seems to be active, but we are continuing to monitor. We have not seen activity from the attacker’s wallet in >36 hours,” OpenSea said in an update.

“Signing transactions is like giving permission for someone to view all of your NFTs or cryptocurrencies,” Check Point stated. “This is why signing is very dangerous. Be extra careful about where you sign transactions. “

The development also comes as cybercriminals are exploiting the growth in popularity of NFTs to trick victims into downloading the BitRAT remote access trojan malware that’s capable of stealing browser credentials, mining cryptocurrency, and harvesting sensitive information.

David
Rate author
Hackarizona