OpenSea Phishing Attack: Difference between revisions

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search
No edit summary
(Massive first whack at progress. Down to 22 sources left to sort through.)
Line 3: Line 3:


[[File:Opensea.jpg|thumb|OpenSea]]OpenSea posts and official tweet to community that they are investigating the situation and believe that it's a phishing attack.
[[File:Opensea.jpg|thumb|OpenSea]]OpenSea posts and official tweet to community that they are investigating the situation and believe that it's a phishing attack.
<ref name="slowmist-2069" /><ref name="opensea-6981" /><ref name="openseayoutube-6982" /><ref name="openseadocs-6983" /><ref name="openseafaq-6984" /><ref name="openseaabout-6985" /><ref name="theverge-6986" /><ref name="peckshieldlist-6987" /><ref name="youtubenfts-6988" /><ref name="web3isgoinggreat-6989" /><ref name="jonhqtwitter-6990" /><ref name="ajfromdiscordtwitter-6991" /><ref name="mikeburgersburgtwitter-6992" /><ref name="attackersaddress-6993" /><ref name="openseatwitter-6994" /><ref name="dfinzertwitter-6995" /><ref name="nesotualtwitter-6996" /><ref name="theverge2-6997" /><ref name="dunexyz-6998" /><ref name="dfinzertwitter2-6999" /><ref name="coindesk-7000" /><ref name="zdnet-7001" /><ref name="cointelegraph-7002" /><ref name="cnet-7003" /><ref name="threatpost-7004" /><ref name="openseatwitter2-7005" /><ref name="openseatwitter3-7006" /><ref name="openseatwitter4-7007" /><ref name="coinyuppie-7234" /><ref name="cpomagazine-7315" /><ref name="nfttransferaway-8646" /><ref name="tenderlytracer-8647" /><ref name="talbeerysectwitter-8648" /><ref name="gadgets360-10518" /><ref name="openseatwitterannouncement-10519" /><ref name="nadavahollandertwitter-10520" /><ref name="thinksproutinfotech-8854" />
<ref name="dfinzertwitter-6995" /><ref name="nesotualtwitter-6996" /><ref name="theverge2-6997" /><ref name="dunexyz-6998" /><ref name="dfinzertwitter2-6999" /><ref name="coindesk-7000" /><ref name="zdnet-7001" /><ref name="cointelegraph-7002" /><ref name="cnet-7003" /><ref name="threatpost-7004" /><ref name="openseatwitter2-7005" /><ref name="openseatwitter3-7006" /><ref name="openseatwitter4-7007" /><ref name="coinyuppie-7234" /><ref name="cpomagazine-7315" /><ref name="nfttransferaway-8646" /><ref name="tenderlytracer-8647" /><ref name="talbeerysectwitter-8648" /><ref name="gadgets360-10518" /><ref name="openseatwitterannouncement-10519" /><ref name="nadavahollandertwitter-10520" /><ref name="thinksproutinfotech-8854" />


== About OpenSea ==
== About OpenSea ==
"The world’s first and largest digital marketplace for crypto collectibles and non-fungible tokens (NFTs). Buy, sell, and discover exclusive digital items." "Discover, collect, and sell extraordinary NFTs. OpenSea is the world's first and largest NFT marketplace."
"The world’s first and largest digital marketplace for crypto collectibles and non-fungible tokens (NFTs). Buy, sell, and discover exclusive digital items." "Discover, collect, and sell extraordinary NFTs. OpenSea is the world's first and largest NFT marketplace."<ref name="opensea-6981" /><ref name="openseayoutube-6982" /><ref name="openseadocs-6983" /><ref name="openseafaq-6984" /><ref name="openseaabout-6985" /><ref name="youtubenfts-6988" />


"As the first and largest marketplace for Non-Fungible Tokens and Semi-Fungible Tokens, OpenSea provides a first-in-class developer platform consisting of an API, SDK, and developer tutorials. Feel free to browse around and get acclimated with developing smart contracts and interacting with NFT data."
"As the first and largest marketplace for Non-Fungible Tokens and Semi-Fungible Tokens, OpenSea provides a first-in-class developer platform consisting of an API, SDK, and developer tutorials. Feel free to browse around and get acclimated with developing smart contracts and interacting with NFT data."
Line 42: Line 42:
!Description
!Description
|-
|-
|February 19th, 2022 6:38:00 PM
|February 19th, 2022 4:10:37 PM MST
|Main Event
|AJFromDiscord Malicious Transfer
|Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.
|AJFromDiscord's 8 NFTs are taken<ref>[https://etherscan.io/tx/0x631c4620ae70c9a01322f5c951c26d1d428fd91542a6b07e8d0526040e262fe4 Malicious Transfer of AJFromDiscord's NFTs - Etherscan] (Apr 6, 2023)</ref>. (TBD more detail.)
|-
|February 19th, 2022 4:57:00 PM MST
|AJFromDiscord Tweet
|Twitter user AJFromDiscord (Alabaster Jefferson) posts that he's connected with others who also got hacked and links to a transaction which was executed<ref name="ajfromdiscordtwitter-6991" />. (TBD more details.)
|-
|February 19th, 2022 5:30:00 PM MST
|Jon_HQ Twitter Post
|Twitter user Jon_HQ makes a post which is widely cited, with the first report of a malicious transaction stealing funds<ref name="jonhqtwitter-6990" />. (TBD more detail).
|-
|February 19th, 2022 6:13:00 PM MST
|MikeBurgersburg Analysis Tweet
|Twitter user MikeBurgersburg posts a more detailed breakdown of the transaction flow and what he believes happened<ref name="mikeburgersburgtwitter-6992" />. (TBD more details).
|-
|February 19th, 2022 7:33:00 PM MST
|Web3isGoingGreat
|The incident makes the news in Web3isGoingGreat<ref name="web3isgoinggreat-6989" /><ref name=":0">[https://twitter.com/web3isgreat/status/1495225094549172225 <nowiki>web3isgreat - "[UPDATE]: OpenSea users panic as at least $1.7 million in NFTs are stolen" - Twitter</nowiki>] (Apr 6, 2023)</ref>.
|-
|February 20th, 2022 7:37:00 AM MST
|The Verge Article
|An article is published in The Verge, indicating that $1.7m had been lost in the attack<ref name="theverge-6986" />. (TBD expand with more detail.)
|-
|-
|February 20th, 2022 12:02:00 PM
|February 20th, 2022 12:02:00 PM
|OpenSea Tweet
|OpenSea Tweet
|OpenSea posts and official tweet to community that they are investigating the situation and believe that it's a phishing attack.
|OpenSea posts and official tweet to community that they are investigating the situation and believe that it's a phishing attack.
|-
|February 20th, 2022 10:06:00 PM MST
|Narrowed To 17 Victimes
|OpenSea posts that they've narrowed down the list of affected users to just 17<ref name="openseatwitter-6994" />.
|}
|}


== Total Amount Lost ==
== Total Amount Lost ==
"Molly White, who runs the blog Web3 is Going Great, estimated the value of the stolen tokens at more than $1.7 million." "OpenSea initially said 32 users had been affected, but later revised that number to 17, saying 15 of the initial count had interacted with the attacker but not lost tokens as a result."
 
 
Web3isGoingGreat originally estimated the loss at $1.7m<ref name=":0" />, however later revised the estimate to $2.9m<ref name="web3isgoinggreat-6989" />.<blockquote>"Molly White, who runs the blog Web3 is Going Great, estimated the value of the stolen tokens at more than $1.7 million." "OpenSea initially said 32 users had been affected, but later revised that number to 17, saying 15 of the initial count had interacted with the attacker but not lost tokens as a result."</blockquote>SlowMist estimated the loss amount at $3.4m<ref>[https://web.archive.org/web/20230406213510/https://hacked.slowmist.io/?c=&page=18 SlowMist Hack List Page 18 - SlowMist] (Apr 6, 2023)</ref>.
 
A list of stolen NFTs has been published on a Google Sheet<ref>[https://web.archive.org/web/20220412195159/https://docs.google.com/spreadsheets/d/1XQNIXuAl2E1XO_cP8pm_vbzskI_Pka4E5sizfcrLITM/edit Opensea Phishing Incident Stole NFT List - Google Sheet Archive] (Apr 6, 2023)</ref>, however the list has subsequently been removed<ref name="peckshieldlist-6987" />.


The total amount lost has been estimated at $3,400,000 USD.
The total amount lost has been estimated at $3,400,000 USD.
Line 68: Line 96:
"Hackers return most of the unsold NFTs to victims." "Bizarrely, the hacker returned some of the NFTs to their original owners, and one victim inexplicably received 50 ETH ($130,000) from the attacker as well as some of his stolen NFTs back. The attacker later transferred 1,115 ETH obtained from the attack to a cryptocurrency tumbler, worth around $2.9 million."
"Hackers return most of the unsold NFTs to victims." "Bizarrely, the hacker returned some of the NFTs to their original owners, and one victim inexplicably received 50 ETH ($130,000) from the attacker as well as some of his stolen NFTs back. The attacker later transferred 1,115 ETH obtained from the attack to a cryptocurrency tumbler, worth around $2.9 million."


 
The attacker's wallet address has been flagged on Etherscan<ref name="attackersaddress-6993" />.


== Total Amount Recovered ==
== Total Amount Recovered ==
Line 84: Line 112:


== References ==
== References ==
<references><ref name="slowmist-2069">[https://hacked.slowmist.io/en/ SlowMist Hacked - SlowMist Zone] (Jun 25, 2021)</ref>
<references>
 
<ref name="slowmist-2069">[https://hacked.slowmist.io/en/ SlowMist Hacked - SlowMist Zone] (Jun 25, 2021)</ref>
<ref name="opensea-6981">[https://opensea.io/ https://opensea.io/] (Mar 9, 2022)</ref>
<ref name="opensea-6981">https://opensea.io/ (Mar 9, 2022)</ref>
 
<ref name="openseayoutube-6982">[https://www.youtube.com/watch?v=gfGuPd1CELo Meet OpenSea | The NFT marketplace with everything for everyone - YouTube] (Mar 9, 2022)</ref>
<ref name="openseayoutube-6982">[https://www.youtube.com/watch?v=gfGuPd1CELo Meet OpenSea | The NFT marketplace with everything for everyone - YouTube] (Mar 9, 2022)</ref>
 
<ref name="openseadocs-6983">https://docs.opensea.io/docs (Mar 9, 2022)</ref>
<ref name="openseadocs-6983">[https://docs.opensea.io/docs https://docs.opensea.io/docs] (Mar 9, 2022)</ref>
<ref name="openseafaq-6984">https://docs.opensea.io/docs/frequently-asked-questions (Mar 9, 2022)</ref>
 
<ref name="openseaabout-6985">https://opensea.io/about (Mar 9, 2022)</ref>
<ref name="openseafaq-6984">[https://docs.opensea.io/docs/frequently-asked-questions https://docs.opensea.io/docs/frequently-asked-questions] (Mar 9, 2022)</ref>
 
<ref name="openseaabout-6985">[https://opensea.io/about https://opensea.io/about] (Mar 9, 2022)</ref>
 
<ref name="theverge-6986">[https://www.theverge.com/2022/2/20/22943228/opensea-phishing-hack-smart-contract-bug-stolen-nft $1.7 million in NFTs stolen in apparent phishing attack on OpenSea users - The Verge] (Mar 9, 2022)</ref>
<ref name="theverge-6986">[https://www.theverge.com/2022/2/20/22943228/opensea-phishing-hack-smart-contract-bug-stolen-nft $1.7 million in NFTs stolen in apparent phishing attack on OpenSea users - The Verge] (Mar 9, 2022)</ref>
<ref name="peckshieldlist-6987">[https://docs.google.com/spreadsheets/d/1XQNIXuAl2E1XO_cP8pm_vbzskI_Pka4E5sizfcrLITM/edit Opensea Phishing Incident Stolen NFT List - Google Sheets] (Mar 9, 2022)</ref>
<ref name="peckshieldlist-6987">[https://docs.google.com/spreadsheets/d/1XQNIXuAl2E1XO_cP8pm_vbzskI_Pka4E5sizfcrLITM/edit Opensea Phishing Incident Stolen NFT List - Google Sheets] (Mar 9, 2022)</ref>
<ref name="youtubenfts-6988">[https://www.youtube.com/watch?v=H3TABd_nBJU NFTs and the $13B marketplace, explained - YouTube] (Mar 10, 2022)</ref>
<ref name="youtubenfts-6988">[https://www.youtube.com/watch?v=H3TABd_nBJU NFTs and the $13B marketplace, explained - YouTube] (Mar 10, 2022)</ref>
 
<ref name="web3isgoinggreat-6989">[https://web3isgoinggreat.com/?id=seventeen-opensea-users-hit-by-phishing-attack Seventeen OpenSea users have their NFTs stolen and flipped for a total of $2.9 million by a phishing scammer – Web3 Is Going Just Great] (Mar 10, 2022)</ref>
<ref name="web3isgoinggreat-6989">[https://web3isgoinggreat.com/?id=2022-02-19-1 Indian authorities arrest a group accused of $5 million cryptocurrency scam – Web3 Is Going Just Great] (Mar 10, 2022)</ref>
<ref name="jonhqtwitter-6990">[https://web.archive.org/web/20220220003416/https://twitter.com/Jon_HQ/status/1495194178355011586 <nowiki>Jon_HQ - "I am very unsure how this is working or what is being exploited but it seems that OpenSea's new contract is ab[so]lutely rugged." - Twitter</nowiki>] (Mar 10, 2022)</ref>
 
<ref name="ajfromdiscordtwitter-6991">[https://twitter.com/AJFromDiscord/status/1495185887625367556 AJFromDiscord - "ALL OF OUR STOLEN NFT'S WERE ONES WE MANUALLY MIGRATED ON OPENSEA" - Twitter] (Mar 10, 2022)</ref>
<ref name="jonhqtwitter-6990">[https://twitter.com/Jon_HQ/status/1495194178355011586 @Jon_HQ Twitter] (Mar 10, 2022)</ref>
<ref name="mikeburgersburgtwitter-6992">[https://twitter.com/MikeBurgersburg/status/1495204914460598289 MikeBurgersburg - "578 Ethereum (~$1.7 million) transferred from dozens of wallets through opensea to a hacker." -  Twitter] (Mar 10, 2022)</ref>
 
<ref name="attackersaddress-6993">[https://etherscan.io/address/0x3e0defb880cd8e163bad68abe66437f99a7a8a74 Attacker's Wallet Address - Etherscan] (Mar 10, 2022)</ref>
<ref name="ajfromdiscordtwitter-6991">[https://twitter.com/AJFromDiscord/status/1495185887625367556 @AJFromDiscord Twitter] (Mar 10, 2022)</ref>
<ref name="openseatwitter-6994">[https://twitter.com/opensea/status/1495625884514066433 opensea - "We’ve narrowed down the list of impacted individuals to 17, rather than the previously mentioned 32." - Twitter] (Mar 10, 2022)</ref>
 
<ref name="mikeburgersburgtwitter-6992">[https://twitter.com/MikeBurgersburg/status/1495204914460598289 @MikeBurgersburg Twitter] (Mar 10, 2022)</ref>
 
<ref name="attackersaddress-6993">[https://etherscan.io/address/0x3e0defb880cd8e163bad68abe66437f99a7a8a74 https://etherscan.io/address/0x3e0defb880cd8e163bad68abe66437f99a7a8a74] (Mar 10, 2022)</ref>
 
<ref name="openseatwitter-6994">[https://twitter.com/opensea/status/1495625884514066433 @opensea Twitter] (Mar 10, 2022)</ref>
 
<ref name="dfinzertwitter-6995">[https://twitter.com/dfinzer/status/1495245313304530952 @dfinzer Twitter] (Mar 10, 2022)</ref>
<ref name="dfinzertwitter-6995">[https://twitter.com/dfinzer/status/1495245313304530952 @dfinzer Twitter] (Mar 10, 2022)</ref>
<ref name="nesotualtwitter-6996">[https://twitter.com/Nesotual/status/1495223135800643592 @Nesotual Twitter] (Mar 10, 2022)</ref>
<ref name="nesotualtwitter-6996">[https://twitter.com/Nesotual/status/1495223135800643592 @Nesotual Twitter] (Mar 10, 2022)</ref>
<ref name="theverge2-6997">[https://www.theverge.com/2022/2/2/22914081/open-sea-nft-marketplace-web3-fundraising-finzer-a16z How OpenSea took over the NFT trade - The Verge] (Mar 10, 2022)</ref>
<ref name="theverge2-6997">[https://www.theverge.com/2022/2/2/22914081/open-sea-nft-marketplace-web3-fundraising-finzer-a16z How OpenSea took over the NFT trade - The Verge] (Mar 10, 2022)</ref>
<ref name="dunexyz-6998">[https://dune.xyz/queries/37672/74639 Dune Analytics] (Mar 10, 2022)</ref>
<ref name="dunexyz-6998">[https://dune.xyz/queries/37672/74639 Dune Analytics] (Mar 10, 2022)</ref>
<ref name="dfinzertwitter2-6999">[https://twitter.com/dfinzer/status/1495302786811981825 @dfinzer Twitter] (Mar 10, 2022)</ref>
<ref name="dfinzertwitter2-6999">[https://twitter.com/dfinzer/status/1495302786811981825 @dfinzer Twitter] (Mar 10, 2022)</ref>
<ref name="coindesk-7000">[https://www.coindesk.com/business/2022/02/21/opensea-says-phishing-attack-impacted-17-users/ OpenSea Says Phishing Attack Impacted 17 Users] (Mar 10, 2022)</ref>
<ref name="coindesk-7000">[https://www.coindesk.com/business/2022/02/21/opensea-says-phishing-attack-impacted-17-users/ OpenSea Says Phishing Attack Impacted 17 Users] (Mar 10, 2022)</ref>
<ref name="zdnet-7001">[https://www.zdnet.com/article/opensea-scam-artists-swindle-nfts-worth-millions-in-phishing-attack/ Scam artists swindle NFTs worth 'millions' in OpenSea phishing attack | ZDNet] (Mar 10, 2022)</ref>
<ref name="zdnet-7001">[https://www.zdnet.com/article/opensea-scam-artists-swindle-nfts-worth-millions-in-phishing-attack/ Scam artists swindle NFTs worth 'millions' in OpenSea phishing attack | ZDNet] (Mar 10, 2022)</ref>
<ref name="cointelegraph-7002">[https://cointelegraph.com/news/opensea-phishing-scandal-reveals-a-security-need-across-the-nft-landscape OpenSea phishing scandal reveals a security need across the NFT landscape] (Mar 10, 2022)</ref>
<ref name="cointelegraph-7002">[https://cointelegraph.com/news/opensea-phishing-scandal-reveals-a-security-need-across-the-nft-landscape OpenSea phishing scandal reveals a security need across the NFT landscape] (Mar 10, 2022)</ref>
<ref name="cnet-7003">[https://www.cnet.com/personal-finance/crypto/opensea-says-at-least-1-7m-in-nfts-stolen-in-phishing-attack/ OpenSea Says at Least $1.7M in NFTs Stolen in Phishing Attack - CNET] (Mar 10, 2022)</ref>
<ref name="cnet-7003">[https://www.cnet.com/personal-finance/crypto/opensea-says-at-least-1-7m-in-nfts-stolen-in-phishing-attack/ OpenSea Says at Least $1.7M in NFTs Stolen in Phishing Attack - CNET] (Mar 10, 2022)</ref>
<ref name="threatpost-7004">[https://threatpost.com/nft-investors-lose-1-7m-in-opensea-phishing-attack/178558/ NFT Investors Lose $1.7M in OpenSea Phishing Attack | Threatpost] (Mar 10, 2022)</ref>
<ref name="threatpost-7004">[https://threatpost.com/nft-investors-lose-1-7m-in-opensea-phishing-attack/178558/ NFT Investors Lose $1.7M in OpenSea Phishing Attack | Threatpost] (Mar 10, 2022)</ref>
<ref name="openseatwitter2-7005">[https://twitter.com/opensea/status/1495211277097996290 @opensea Twitter] (Mar 10, 2022)</ref>
<ref name="openseatwitter2-7005">[https://twitter.com/opensea/status/1495211277097996290 @opensea Twitter] (Mar 10, 2022)</ref>
<ref name="openseatwitter3-7006">[https://twitter.com/opensea/status/1495996847546335237 @opensea Twitter] (Mar 10, 2022)</ref>
<ref name="openseatwitter3-7006">[https://twitter.com/opensea/status/1495996847546335237 @opensea Twitter] (Mar 10, 2022)</ref>
<ref name="openseatwitter4-7007">[https://twitter.com/opensea/status/1497289446529536001 @opensea Twitter] (Mar 10, 2022)</ref>
<ref name="openseatwitter4-7007">[https://twitter.com/opensea/status/1497289446529536001 @opensea Twitter] (Mar 10, 2022)</ref>
<ref name="coinyuppie-7234">[https://coinyuppie.com/phishing-attack-from-opensea-to-analyze-blockchain-hacking-methods/ Phishing attack from OpenSea to analyze blockchain hacking methods - CoinYuppie: Bitcoin, Ethereum, Metaverse, NFT, DAO, DeFi, Dogecoin, Crypto News] (Mar 16, 2022)</ref>
<ref name="coinyuppie-7234">[https://coinyuppie.com/phishing-attack-from-opensea-to-analyze-blockchain-hacking-methods/ Phishing attack from OpenSea to analyze blockchain hacking methods - CoinYuppie: Bitcoin, Ethereum, Metaverse, NFT, DAO, DeFi, Dogecoin, Crypto News] (Mar 16, 2022)</ref>
 
<ref name="cpomagazine-7315">https://www.cpomagazine.com/cyber-security/phishing-attack-on-nft-marketplace-opensea-results-in-thefts-from-17-accounts-victims-tricked-into-signing-malicious-payloads/ (Mar 20, 2022)</ref>
<ref name="cpomagazine-7315">[https://www.cpomagazine.com/cyber-security/phishing-attack-on-nft-marketplace-opensea-results-in-thefts-from-17-accounts-victims-tricked-into-signing-malicious-payloads/ https://www.cpomagazine.com/cyber-security/phishing-attack-on-nft-marketplace-opensea-results-in-thefts-from-17-accounts-victims-tricked-into-signing-malicious-payloads/] (Mar 20, 2022)</ref>
<ref name="nfttransferaway-8646">https://etherscan.io/tx/0xdfa95e85496c489e7f3b2dbe570ed2b261c3390443c8f6053eb6d76acd30c5e9 (Jul 21, 2022)</ref>
 
<ref name="nfttransferaway-8646">[https://etherscan.io/tx/0xdfa95e85496c489e7f3b2dbe570ed2b261c3390443c8f6053eb6d76acd30c5e9  https://etherscan.io/tx/0xdfa95e85496c489e7f3b2dbe570ed2b261c3390443c8f6053eb6d76acd30c5e9] (Jul 21, 2022)</ref>
 
<ref name="tenderlytracer-8647">[https://dashboard.tenderly.co/tx/mainnet/0xdfa95e85496c489e7f3b2dbe570ed2b261c3390443c8f6053eb6d76acd30c5e9/debugger?trace=0.1 Tenderly Dashboard] (Jul 21, 2022)</ref>
<ref name="tenderlytracer-8647">[https://dashboard.tenderly.co/tx/mainnet/0xdfa95e85496c489e7f3b2dbe570ed2b261c3390443c8f6053eb6d76acd30c5e9/debugger?trace=0.1 Tenderly Dashboard] (Jul 21, 2022)</ref>
<ref name="talbeerysectwitter-8648">[https://twitter.com/TalBeerySec/status/1495331621351968769 @TalBeerySec Twitter] (Jul 21, 2022)</ref>
<ref name="talbeerysectwitter-8648">[https://twitter.com/TalBeerySec/status/1495331621351968769 @TalBeerySec Twitter] (Jul 21, 2022)</ref>
<ref name="gadgets360-10518">[https://www.gadgets360.com/cryptocurrency/news/opensea-nft-phishing-attack-usd-1-7-million-ether-missing-2779865 OpenSea Loses NFTs Worth $1.7 Million in Phishing Attack, Investigation Underway | Technology News] (Feb 6, 2023)</ref>
<ref name="gadgets360-10518">[https://www.gadgets360.com/cryptocurrency/news/opensea-nft-phishing-attack-usd-1-7-million-ether-missing-2779865 OpenSea Loses NFTs Worth $1.7 Million in Phishing Attack, Investigation Underway | Technology News] (Feb 6, 2023)</ref>
<ref name="openseatwitterannouncement-10519">[https://twitter.com/opensea/status/1495473882806947841 @opensea Twitter] (Feb 6, 2023)</ref>
<ref name="openseatwitterannouncement-10519">[https://twitter.com/opensea/status/1495473882806947841 @opensea Twitter] (Feb 6, 2023)</ref>
<ref name="nadavahollandertwitter-10520">[https://twitter.com/NadavAHollander/status/1495509514199650313 @NadavAHollander Twitter] (Feb 6, 2023)</ref>
<ref name="nadavahollandertwitter-10520">[https://twitter.com/NadavAHollander/status/1495509514199650313 @NadavAHollander Twitter] (Feb 6, 2023)</ref>
 
<ref name="thinksproutinfotech-8854">[https://thinksproutinfotech.com/news/phishing-attack-strikes-moonbirds-nft-project-details-here/ Phishing Attack Strikes ‘Moonbirds’ NFT Project, Details Here - Techsprout News] (Aug 23, 2022)</ref>
<ref name="thinksproutinfotech-8854">[https://thinksproutinfotech.com/news/phishing-attack-strikes-moonbirds-nft-project-details-here/ Phishing Attack Strikes ‘Moonbirds’ NFT Project, Details Here - Techsprout News] (Aug 23, 2022)</ref></references>
</references>

Revision as of 16:04, 6 April 2023

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

OpenSea

OpenSea posts and official tweet to community that they are investigating the situation and believe that it's a phishing attack.

[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20][21][22]

About OpenSea

"The world’s first and largest digital marketplace for crypto collectibles and non-fungible tokens (NFTs). Buy, sell, and discover exclusive digital items." "Discover, collect, and sell extraordinary NFTs. OpenSea is the world's first and largest NFT marketplace."[23][24][25][26][27][28]

"As the first and largest marketplace for Non-Fungible Tokens and Semi-Fungible Tokens, OpenSea provides a first-in-class developer platform consisting of an API, SDK, and developer tutorials. Feel free to browse around and get acclimated with developing smart contracts and interacting with NFT data."

"Fascinated by the [CryptoKitties] movement that was forming, Devin Finzer and Alex Atallah joined early adopter communities in Discord and started talking to users. With the OpenSea beta launch in December 2017, the first open marketplace for any non-fungible token on the Ethereum blockchain was born."

"Valued at $13 billion in a recent funding round, OpenSea has become one of the most valuable companies of the NFT boom, providing a simple interface for users to list, browse, and bid on tokens without interacting directly with the blockchain."

"The Zhifan security team analyzed and found that [a] hacker address 0x3E0…8A74 created a smart contract 0xa2…45bD at 9:31:12 (UTC) on January 22, one month ago."

The Reality

"A number of users posted a warning on Twitter [on the] morning [of February 19th] that the new migration contract launched by OpenSea yesterday was suspected of having a bug, and the attacker used the bug to steal a large amount of NFT and sell more than 0 ~$3.4 million) NFTs, most of which have been deposited in TornadoCash." "Early explanations blamed a new contract that OpenSea had rolled out, or an airdrop from a new NFT marketplace called X2Y2. People urged NFT owners to revoke permissions for both the OpenSea contract and for X2Y2 until more was known, although one of the most popular websites helping people do so went down shortly after from the high traffic."

"OpenSea was in the process of updating its contract system when the attack took place, but OpenSea has denied that the attack originated with the new contracts. The relatively small number of targets makes such a vulnerability unlikely, since any flaw in the broader platform would likely be exploited on a far greater scale."

What Happened

"Panic erupted on February 19 as a few users saw their wallets emptied of valuable NFTs without knowing why, and many others feared the same could happen to them." "[A]ttackers stole hundreds of NFTs from OpenSea users, causing a late-night panic among the site’s broad user base. A spreadsheet compiled by the blockchain security service PeckShield counted 254 tokens stolen over the course of the attack, including tokens from Decentraland and Bored Ape Yacht Club, with the bulk of the attacks taking place between 5PM and 8PM ET."

"An hour and a half after users began to report missing NFTs, OpenSea finally acknowledged the issue. They tweeted that they were "actively investigating rumors of an exploit associated with OpenSea related smart contracts", and wrote that they believed it was a phishing attack coming from outside of OpenSea, rather than an issue with their contract."

"It was later determined that an attacker had successfully phished 17 OpenSea users into signing a malicious contract, which allowed the attacker to take the NFTs and then flip them."

"The attack appears to have exploited a flexibility in the Wyvern Protocol, the open-source standard underlying most NFT smart contracts, including those made on OpenSea. One explanation (linked by CEO Devin Finzer on Twitter) described the attack in two parts: first, targets signed a partial contract, with a general authorization and large portions left blank. With the signature in place, attackers completed the contract with a call to their own contract, which transferred ownership of the NFTs without payment. In essence, targets of the attack had signed a blank check — and once it was signed, attackers filled in the rest of the check to take their holdings."

"[M]any details of the attack remain unclear — particularly the method attackers used to get targets to sign the half-empty contract. Writing on Twitter shortly before 3AM ET, OpenSea CEO Devin Finzer said the attacks had not originated from OpenSea’s website, its various listing systems, or any emails from the company. The rapid pace of the attack — hundreds of transactions in a matter of hours — suggests some common vector of attack, but so far no link has been discovered."

Twitter user @NadavAHollander explains the exploit further:

"None of the malicious orders were executed against the new (Wyvern 2.3) contract, indicating that they were signed before the migration and are unlikely to be related to OpenSea’s migration flow."

Key Event Timeline - OpenSea Phishing Attack
Date Event Description
February 19th, 2022 4:10:37 PM MST AJFromDiscord Malicious Transfer AJFromDiscord's 8 NFTs are taken[29]. (TBD more detail.)
February 19th, 2022 4:57:00 PM MST AJFromDiscord Tweet Twitter user AJFromDiscord (Alabaster Jefferson) posts that he's connected with others who also got hacked and links to a transaction which was executed[30]. (TBD more details.)
February 19th, 2022 5:30:00 PM MST Jon_HQ Twitter Post Twitter user Jon_HQ makes a post which is widely cited, with the first report of a malicious transaction stealing funds[31]. (TBD more detail).
February 19th, 2022 6:13:00 PM MST MikeBurgersburg Analysis Tweet Twitter user MikeBurgersburg posts a more detailed breakdown of the transaction flow and what he believes happened[32]. (TBD more details).
February 19th, 2022 7:33:00 PM MST Web3isGoingGreat The incident makes the news in Web3isGoingGreat[33][34].
February 20th, 2022 7:37:00 AM MST The Verge Article An article is published in The Verge, indicating that $1.7m had been lost in the attack[35]. (TBD expand with more detail.)
February 20th, 2022 12:02:00 PM OpenSea Tweet OpenSea posts and official tweet to community that they are investigating the situation and believe that it's a phishing attack.
February 20th, 2022 10:06:00 PM MST Narrowed To 17 Victimes OpenSea posts that they've narrowed down the list of affected users to just 17[36].

Total Amount Lost

Web3isGoingGreat originally estimated the loss at $1.7m[34], however later revised the estimate to $2.9m[33].

"Molly White, who runs the blog Web3 is Going Great, estimated the value of the stolen tokens at more than $1.7 million." "OpenSea initially said 32 users had been affected, but later revised that number to 17, saying 15 of the initial count had interacted with the attacker but not lost tokens as a result."

SlowMist estimated the loss amount at $3.4m[37].

A list of stolen NFTs has been published on a Google Sheet[38], however the list has subsequently been removed[39].

The total amount lost has been estimated at $3,400,000 USD.

Immediate Reactions

“I checked every transaction,” said [one] user, who goes by Neso. “They all have valid signatures from the people who lost NFTs so anyone claiming they didn’t get phished but lost NFTs is sadly wrong.”

"OpenSea co-founder and CEO Devin Finzer confirmed the phishing attack in a tweet." "Afterwards, Devin Finzer confirmed that this was a “phishing attack”, but it has not been possible to verify where the “phishing” occurred. The only thing that can be confirmed after investigation is that the phishing attack did not come from the inside of the OpenSea website."

On official statement was released by OpenSea at the time.

"Our leadership, engineering, and security teams are communicating with affected users to gather details. We continue to believe that this is a phishing attack that originated outside of http://opensea.io."

Ultimate Outcome

"Hackers return most of the unsold NFTs to victims." "Bizarrely, the hacker returned some of the NFTs to their original owners, and one victim inexplicably received 50 ETH ($130,000) from the attacker as well as some of his stolen NFTs back. The attacker later transferred 1,115 ETH obtained from the attack to a cryptocurrency tumbler, worth around $2.9 million."

The attacker's wallet address has been flagged on Etherscan[40].

Total Amount Recovered

"Hackers return most of the unsold NFTs to victims." "Bizarrely, the hacker returned some of the NFTs to their original owners, and one victim inexplicably received 50 ETH ($130,000) from the attacker as well as some of his stolen NFTs back. The attacker later transferred 1,115 ETH obtained from the attack to a cryptocurrency tumbler, worth around $2.9 million."

The total amount recovered has been estimated at $1,700,000 USD.

Ongoing Developments

"[M]any details of the attack remain unclear — particularly the method attackers used to get targets to sign the half-empty contract. Writing on Twitter shortly before 3AM ET, OpenSea CEO Devin Finzer said the attacks had not originated from OpenSea’s website, its various listing systems, or any emails from the company. The rapid pace of the attack — hundreds of transactions in a matter of hours — suggests some common vector of attack, but so far no link has been discovered."

"We're reaching out to the folks who reported this to investigate. Please continue to be vigilant when prompted with a wallet signature."

Prevention Policies

Which policies could have prevented this event from happening?

References

  1. @dfinzer Twitter (Mar 10, 2022)
  2. @Nesotual Twitter (Mar 10, 2022)
  3. How OpenSea took over the NFT trade - The Verge (Mar 10, 2022)
  4. Dune Analytics (Mar 10, 2022)
  5. @dfinzer Twitter (Mar 10, 2022)
  6. OpenSea Says Phishing Attack Impacted 17 Users (Mar 10, 2022)
  7. Scam artists swindle NFTs worth 'millions' in OpenSea phishing attack | ZDNet (Mar 10, 2022)
  8. OpenSea phishing scandal reveals a security need across the NFT landscape (Mar 10, 2022)
  9. OpenSea Says at Least $1.7M in NFTs Stolen in Phishing Attack - CNET (Mar 10, 2022)
  10. NFT Investors Lose $1.7M in OpenSea Phishing Attack | Threatpost (Mar 10, 2022)
  11. @opensea Twitter (Mar 10, 2022)
  12. @opensea Twitter (Mar 10, 2022)
  13. @opensea Twitter (Mar 10, 2022)
  14. Phishing attack from OpenSea to analyze blockchain hacking methods - CoinYuppie: Bitcoin, Ethereum, Metaverse, NFT, DAO, DeFi, Dogecoin, Crypto News (Mar 16, 2022)
  15. https://www.cpomagazine.com/cyber-security/phishing-attack-on-nft-marketplace-opensea-results-in-thefts-from-17-accounts-victims-tricked-into-signing-malicious-payloads/ (Mar 20, 2022)
  16. https://etherscan.io/tx/0xdfa95e85496c489e7f3b2dbe570ed2b261c3390443c8f6053eb6d76acd30c5e9 (Jul 21, 2022)
  17. Tenderly Dashboard (Jul 21, 2022)
  18. @TalBeerySec Twitter (Jul 21, 2022)
  19. OpenSea Loses NFTs Worth $1.7 Million in Phishing Attack, Investigation Underway | Technology News (Feb 6, 2023)
  20. @opensea Twitter (Feb 6, 2023)
  21. @NadavAHollander Twitter (Feb 6, 2023)
  22. Phishing Attack Strikes ‘Moonbirds’ NFT Project, Details Here - Techsprout News (Aug 23, 2022)
  23. https://opensea.io/ (Mar 9, 2022)
  24. Meet OpenSea | The NFT marketplace with everything for everyone - YouTube (Mar 9, 2022)
  25. https://docs.opensea.io/docs (Mar 9, 2022)
  26. https://docs.opensea.io/docs/frequently-asked-questions (Mar 9, 2022)
  27. https://opensea.io/about (Mar 9, 2022)
  28. NFTs and the $13B marketplace, explained - YouTube (Mar 10, 2022)
  29. Malicious Transfer of AJFromDiscord's NFTs - Etherscan (Apr 6, 2023)
  30. AJFromDiscord - "ALL OF OUR STOLEN NFT'S WERE ONES WE MANUALLY MIGRATED ON OPENSEA" - Twitter (Mar 10, 2022)
  31. Jon_HQ - "I am very unsure how this is working or what is being exploited but it seems that OpenSea's new contract is ab[so]lutely rugged." - Twitter (Mar 10, 2022)
  32. MikeBurgersburg - "578 Ethereum (~$1.7 million) transferred from dozens of wallets through opensea to a hacker." - Twitter (Mar 10, 2022)
  33. 33.0 33.1 Seventeen OpenSea users have their NFTs stolen and flipped for a total of $2.9 million by a phishing scammer – Web3 Is Going Just Great (Mar 10, 2022)
  34. 34.0 34.1 web3isgreat - "[UPDATE]: OpenSea users panic as at least $1.7 million in NFTs are stolen" - Twitter (Apr 6, 2023)
  35. $1.7 million in NFTs stolen in apparent phishing attack on OpenSea users - The Verge (Mar 9, 2022)
  36. opensea - "We’ve narrowed down the list of impacted individuals to 17, rather than the previously mentioned 32." - Twitter (Mar 10, 2022)
  37. SlowMist Hack List Page 18 - SlowMist (Apr 6, 2023)
  38. Opensea Phishing Incident Stole NFT List - Google Sheet Archive (Apr 6, 2023)
  39. Opensea Phishing Incident Stolen NFT List - Google Sheets (Mar 9, 2022)
  40. Attacker's Wallet Address - Etherscan (Mar 10, 2022)

Cite error: <ref> tag with name "slowmist-2069" defined in <references> is not used in prior text.

Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=OpenSea_Phishing_Attack&oldid=3264"