So, we discovered that a significant quantity of NFTs were stolen over the weekend, and you may be wondering if it even made sense. Is it even conceivable? You may be filled with so much uncertainty. We are here to break it down from the kind of attack to how it affected the victims of the stolen NFTs.
This weekend, the world’s largest NFT marketplace, OpenSea, was the victim of a major heist in which 254 unique non-fungible tokens (NFTs) were taken.
During the incursion, 32 OpenSea wallets were emptied of NFT assets, which was later revealed to be a phishing attack. The overall amount of damages to affected parties is estimated to be $3 million.
So, if you’re wondering what a phishing attack is, here’s a quick rundown of what it comprises. Phishing is a strategy in which an attacker, also known as a phisher, attempts to get sensitive information from a user or victim. This is a social engineering attack, in which an attacker attempts to obtain personal confidential data from the victim through human interaction, such as login credentials, credit card details, and so on. In this manner, the attacker dupes a victim into clicking on a malicious link via email, instant messaging apps like WhatsApp, or text message. Clicking on the link could result in the installation of malicious software, revealing personal information.
Several OpenSea members discovered their NFT wallets empty and bereft of valuable assets on Saturday, including NFTs from the Decentraland, Bored Apes Yacht Club, Cool Cats, and Doodle collections.
Opensea revealed an ongoing investigation into what “appears to be a phishing attack originating outside of OpenSea’s website” more than an hour after the losses were discovered.
During that time, many individuals were perplexed as to whether NFTs were subject to such a threat, with inquiries such as “Can NFTs be Stolen?” and “Can owners of Stolen NFTs regain their properties?”
We all know that NFTs are unique and easily verifiable, and that you can see who is in possession of any NFT, and that if they are stolen, the original owner can simply retake custody of that NFT, but I’m sorry to break it to you that it doesn’t work that way.
Consider it this way: So, if you own a house, you have a piece of paper called the title (or the deed in certain areas), and that piece of paper proves that you own the house.
However, if someone stole a duplicate of your paper, they would not suddenly own your house because the title is simply a printout of a government database that shows who owns what property. So if your title is stolen, you simply get a new one printed.
The basic premise behind NFTs and crypto is that there is a database of who owns what, but it is anonymous. In the world of NFTs, having the piece of paper is the only method to verify ownership.
If someone steals your piece of paper, they suddenly own it, and you have no way of proving it.
So, returning to the stolen NFTs, Soon after, OpenSea CEO Devin Finzer acknowledged that the heist was the result of a phishing attack in which 32 unlucky platform users signed a malicious payload from the attacker.
It was later discovered that the hacker utilized a common phishing email that looked exactly like the official email shared by OpenSea the day before.
The malicious email invited users to transfer their tokens to the new smart contract by Friday, February 25th, or else all existing tokens will expire.
A day before the attack, OpenSea revealed their smart contract dedicated to deleting inactive NFT listings from their marketplace. Following the change, OpenSea users had to migrate their old and expired NFT listings housed on the Ethereum blockchain to a new smart contract. The change was designed to make it more difficult for malicious actors to deceive customers into signing orders without their knowledge.
As a result, the hacker abused users by fooling them into accessing a false website, where victims signed orders that appeared authentic to move their NFTs to the new OpenSea contract. Instead than using safe transfers, customers sent their NFTs to the hacker’s wallet, allowing the bad actors to seize over $3 million in non-fungible tokens.