OpenSea users lose NFTs worth 1.5 million euros after phishing attack
Actually, everything should be simple and fast for OpenSea’s customers: in just four steps, the move of their inactive NFTs (Non-Fungible Tokens) to the Ethereum blockchain is completed, as the company for NFT trading states on its website. “Actually a simple process that is done quickly. Unless you are not sent to the process by OpenSea itself, but by an almost identical-looking phishing email,”so Christine Schönig, Regional Director Security Engineering CER, Office of the CTO, at the world’s leading provider of cyber security solutions Check Point Software Technologies Ltd . A deceptively real imitation of the original mail from OpenSea led users to a web page that was recreated in just as much detail, but behind which phishing scammers hide. The data and money theft takes place in two steps:
Christine Schönig, Regional Director Security Engineering CER, Office of the CTO at Check Point
Schönig explains: “At first, customers were unwittingly asked to agree to a kind of blank transaction. This gave a general authorization for further transactions in the background. With their signature, the owners of the NFTs then agreed to a connection with the contract of the hackers including a transfer of ownership rights to the attacker – without payment or knowledge, of course.“
Within three hours, 32 users were cheated out of their NFTs worth around 1.5 million euros (1.7 million US dollars). With the signing of the transaction, a so-called atomicMatch request was sent to the attacker’s contract, which the attacker had already created about a month before the attack. “Atomic in this context means that the transaction takes place only if all the parameters of the transaction are met. With this type of request, the hacker is able to steal all of the victim’s NFTS in a single transaction,“ Schönig said.
But the expert from Check Point also explains how you can protect yourself: “Phishing mails are becoming more and more sophisticated and treacherous – so always remain mindful and skeptical. I advise not to click on links in e-mails in general, but to search for the information on the Internet pages of the providers themselves.“ The signing of a transaction is also accompanied by a free ticket for access to all NFTs and crypto currencies of the users. Schönig therefore advises to always remain vigilant: “Always pay attention to when and where you agree to a trade and which transaction you sign. Then the NFT trade is also harmless.”