Scam artists have taken advantage of a contract migration initiative to swindle NFTs out of users in an opportunistic phishing attack.
Last week, NFT marketplace OpenSea announced the rollout of contract migrations and an upgrade to make sure inactive, old NFT listings on Ethereum expire safely and to allow OpenSea to “offer new safety features in the future.”
The contract migration timeline was set from February 18 to February 25.
NFT holders are required to make the change, and OpenSea published a guide to assist them. After the deadline, any listings that were not migrated would expire, although they could be re-listed after this window without further fees.
However, an attacker saw an opportunity to cash in. Check Point Research has suggested that phishing emails were sent to users, linking them to fraudulent websites.
“Some hackers took advantage of the upgrade process and decided to scam NFT users by using the same email from OpenSea and resending it to the OpenSea victims,” the researchers said.
Also: How the initial access broker market leads to ransomware attacks
Marketplace users were reportedly urged to click a link and sign a malicious transaction that was crafted to look like a legitimate OpenSea request.
According to the researchers, the attacker created their contract prior to the transition and made use of atomicMatch_, a form of request “capable of stealing all victim NFTS in one transaction.”
The wallet connected to the phishing attack held over two million dollars after some of the stolen NFTs were sold, CPR noted, although, at the time of writing, just over $8,000 is left in the account. In total, there have been over 350 transactions from this wallet address, including deposits and withdrawals.
Originally, it was believed that 32 users had their NFTs stolen after falling prey to the phishing attack.
“The attack doesn’t appear to be active at this point — we haven’t seen any malicious activity from the attacker’s account in 2 hours,” OpenSea CEO Devin Finzer said on February 20. “Some of the NFTs have been returned. […] We are not aware of any recent phishing emails that have been sent to users, but at this time, we do not know which website was tricking users into maliciously signing messages.”
In an update, OpenSea said its team has been working “around the clock” to investigate, and this number of suspected victims has been narrowed down to 17.
“Our original count included anyone who had *interacted* with the attacker, rather than those who were victims of the phishing attack,” OpenSea said.
It has now been over 22 hours since the last fraudulent transaction made in the attacker’s wallet.
Nadav Hollander, OpenSea CTO, published a Twitter thread containing the organization’s current understanding of the attack, which the firm does not believe originated from OpenSea.
“All of the malicious orders contain valid signatures from the affected users, indicating that they did sign an order somewhere, at some point in time,” Hollander said. “However, none of these orders were broadcasted to OpenSea at the time of signing.”
In addition, the orders were not executed against the new Wyvern 2.3 contract.
Hollander commented:
“32 users [note: now estimated to be 17] had NFTs stolen over a relatively short time period. This is extremely unfortunate but suggests a targeted attack as opposed to a systemic issue.
This information, coupled with our discussions with impacted users and investigation by security experts, suggests a phishing operation that was executed ahead of the deprecation of the 2.2 contract given the impending invalidation of these collected malicious orders.
Even though it appears the attack was made from outside OpenSea, we are actively helping affected users and discussing ways to provide them additional assistance.”
Cybersecurity expert Dan Guido also highlighted the inherent security issues with wallets and their exposure to phishing campaigns.
OpenSea continues to investigate.
In other recent NFT news, Fortinet researchers have warned that cyberattackers are jumping on the NFT hype to spread BitRAT malware.
See also
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0