“Blockchain is one of the most secure custody methods in the world.” – These or similar statements have almost become a mantra in the crypto space. Now, on February 20, users of the NFT marketplace OpenSea Victim of a phishing attack. So isn’t the blockchain as secure as everyone says it is?
OpenSea: That happened
On February 20th, a message appeared on Twitter OpenSea on. This message suggested that it was a phishing attack from outside the OpenSea website.
We are actively investigating rumors of an exploit associated with OpenSea related smart contracts. This appears to be a phishing attack originating outside of OpenSea's website. Do not click links outside of https://t.co/3qvMZjxmDB.— OpenSea (@opensea) February 20, 2022
OpenSea then emphasized fighting the attack, asked the community for advice and finally announced that 17 wallets were affected. among the captured NFTs Among other things, there are three Bored Ape Yacht Club monkeys that have already been transferred for 108 ETH each, the equivalent of almost 300,000 US dollars. Other stolen goods were a so-called Cool Cat, several Azuki tokens, two CloneX and more.
Although the wallet address of the attackers is clearly visible (0x3e0defb880cd8e163bad68abe66437f99a7a8a74), the culprits have not yet been identified. Despite this, no attacks have been made from the address for over 15 hours. On the contrary: according Vice some of the NFTs have already been returned.
What is a phishing attack?
Phishing is “attempts to pose as a trustworthy communication partner in electronic communication via fake websites, e-mails or text messages.” A kind of attack that users in the crypto space fall victim to again and again.
In the current OpenSea case, this means that the attackers received an old email from OpenSea copied and sent, urging users to migrate to the new smart contract update. However, the link offered to be clicked did not hide the actual update, but a request to sign approvals with WyvernExchange.
If the people did that, the attackers had the “fish on the hook”. Now they could use the valid signatures for the transfer of the NFTs. Accordingly, the transactions themselves have not been identified as invalid or malicious by the network.
However, as noted by Nadav Hollander, CTO at OpenSea:
How can I protect myself from such attacks?
First of all, it is important to do the actual update of the smart contracts on ETH. According to the specialist, the update would significantly reduce the success of such an attack. One of the reasons for this is that “it makes the function of the advertised data from EIP-712 much more difficult for attackers to get someone to sign an order without realizing it.”
It is also worth being vigilant and carefully checking senders. Phishing attacks are among the most common fraud attempts in the digital space. Often just clicking on the link is enough to give hackers and thieves unwanted access to their own files and networks. This applies not only to blockchain technologies, but equally to online platforms and digital accounts.