The (small) Great Apeing - $1.7 million in NFTs stolen in apparent phishing attack on OpenSea users

[Lightwreather]

Summary

On Saturday, attackers stole hundreds of NFTs from OpenSea users, causing a late-night panic among the site’s broad user base. A spreadsheet compiled by the blockchain security service PeckShield counted 254 tokens stolen over the course of the attack, including tokens from Decentraland and Bored Ape Yacht Club.

 

Quotes

Quote

The bulk of the attacks took place between 5PM and 8PM ET, targeting 32 users in total. Molly White, who runs the blog Web3 is Going Great, estimated the value of the stolen tokens at more than $1.7 million.

The attack appears to have exploited a flexibility in the Wyvern Protocol, the open-source standard underlying most NFT smart contracts, including those made on OpenSea. One explanation (linked by CEO Devin Finzer on Twitter) described the attack in two parts: first, targets signed a partial contract, with a general authorization and large portions left blank. With the signature in place, attackers completed the contract with a call to their own contract, which transferred ownership of the NFTs without payment. In essence, targets of the attack had signed a blank check — and once it was signed, attackers filled in the rest of the check to take their holdings.

“I checked every transaction,” said the user, who goes by Neso. “They all have valid signatures from the people who lost NFTs so anyone claiming they didn’t get phished but lost NFTs is sadly wrong.”

OpenSea was in the process of updating its contract system when the attack took place, but OpenSea has denied that the attack originated with the new contracts. The relatively small number of targets makes such a vulnerability unlikely, since any flaw in the broader platform would likely be exploited on a far greater scale.

Still, many details of the attack remain unclear — particularly the method attackers used to get targets to sign the half-empty contract. Writing on Twitter shortly before 3AM ET, OpenSea CEO Devin Finzer said the attacks had not originated from OpenSea’s website, its various listing systems, or any emails from the company. The rapid pace of the attack — hundreds of transactions in a matter of hours — suggests some common vector of attack, but so far no link has been discovered.
“We’ll keep you updated as we learn more about the exact nature of the phishing attack,” said Finzer on Twitter. “If you have specific information that could be useful, please DM @opensea_support.”

 

My thoughts

So, it appears that someone used a combinaiton of Phishing and Contractual loopholes to steal (scam) people out of a major amout of Crypto. I don't really know what to say apart from the usual phishing prevention advice - Do not click on any random links, make sure that they are from official sources. If it's too good to be true it likely is, no company is gonna ask for your personal details over email, yada yada yada.

 

Sources

TheVerge

Spreadsheet

Web3isgoinggreat (The irony/sarcasm is strong with this one)

Twitter

[Needfuldoer]

"They stole my apes, Odo!"

 

 

[Middcore]

And nothing of value was lost.

[WhitetailAni]

[Just Monika]

It took longer than I expected for someone to think of right click and Save As.

[Brooksie359]

I think they have a type in the article. The total estimated value should be 0 as clearly nfts are meaningless and don't give you any rights. Just a token that is as useful as a piece of paper I created myself certifying a own something. 

[Middcore]

 

[Sauron]

Damn, and here I was absolutely convinced the blockchain made scams and theft impossible! How can this be?

Spoiler

/S

It's almost like snake oil brokers like OpenSea are actually less trustworthy and reliable than banks and VISA, go figure. Smart contracts are not contracts, they're programs; and software is the devil's playground.

 

[That Franc]

I feel like 2022 will be the year that I die of popcorn poisoning.

[darknessblade]

OOH no.. People falling for a Glorified Pyramid scheme got scammed, NOO the Horror.

 

 

[poochyena]

 

[Arika]

[RejZoR]

10 hours ago, Just Monika said:

It took longer than I expected for someone to think of right click and Save As.

This was a sophisticated NFT heist. The perps had to PrtSc, open MS Paint and paste the items and then save them, which took them all night to clear the inventory. They had stealth on their side tho, which gave them all the time they needed without any worries of raising an alarm.

[Sauron]

2 hours ago, RejZoR said:

The perps had to PrtSc, open MS Paint and paste the items and then save them, which took them all night to clear the inventory.

[Beerzerker]

9 minutes ago, Sauron said:

They had to use "Awesome Screenshot" so it's worth more than your regular screenie - Just awesome in fact.
Now all they have to do is get them all fully documented to that end....
 

[FloRolf]

 

 

Inb4 Media calling Phishing attacks 'hacking' and blaming it on 'Hackers'. 

People, especially those with hundreds of thousands USD assets in their accounts seriously need some cyber security training. I wouldn't be surprised if some of their passwords even were 'password'. 

[mr moose]

A fool and his money are soon parted,  how soon?  crt C crt V soon. 

 

I personally blame Microsoft for making the shortcuts so easily available, they should be charged with aiding piracy and made to refund everyone's money. 

[xAcid9]

How much is $1.7m worth of NFT? Is it similar to $1.7m in Monopoly money? 

[mr moose]

1 hour ago, xAcid9 said:

How much is $1.7m worth of NFT? Is it similar to $1.7m in Monopoly money? 

Depends if you are the type of player that also keeps a ledger so you can increase the banks debt ceiling and make the game go longer.   In which case it's about $2 of monopoly money and the boot piece. 

[05032-Mendicant-Bias]

Saying "unhackable blockchain" is like saying "unsinkable ships" or "unbreakable car".

 

It doesn't mean it cannot be happen. It means that when it happens, there is no recovery nor mitigation in place. With blockchain, it means that when an hack happens, it is irreversible, it is done. 

[RejZoR]

3 hours ago, xAcid9 said:

How much is $1.7m worth of NFT? Is it similar to $1.7m in Monopoly money? 

It's like 500.000 Uno +5 cards.

[CTR640]

So a funny monke is actually smarter than a human being with (de)evolved "brain". Breaking news!

[manikyath]

just dropping this here...

 

[darknessblade]

5 hours ago, xAcid9 said:

How much is $1.7m worth of NFT? Is it similar to $1.7m in Monopoly money? 

How much is it....Ask the IRS. they will gladly fine you for failing to report those assets. making the fines higher than the value of those NFT's

[Sauron]

43 minutes ago, darknessblade said:

How much is it....Ask the IRS. they will gladly fine you for failing to report those assets. making the fines higher than the value of those NFT's