OpenSea’s NFT marketplace vulnerability in the smart contract upgrade process exploited by malicious actors. The malicious actors executed a phishing attack against 17 users and stole $1.7 million worth of virtual assets.
NFTs, an acronym for non-fungible tokens, are digital tokens similar to authenticity certificates for assets, and in a few cases, NFTs amount to ownership of assets, assets that range from expensive illustrations to collectables and physical goods.
The attackers deceived users by using OpenSea’s email address for notifying users of the upgrades. Further, the attackers sent a copied email that redirected the victims to a fake webpage that appeared genuine. The webpage asked them to sign a transaction that lead to stealing the NFTs in one go.
“By signing the transaction, an atomicMatch_ request would be sent to the attacker contract,” Check Point researchers explained. “From there, the atomicMatch_ would be forwarded to the OpenSea contract,” leading to the transfer of the NFTs from the victim to the attacker.
OpenSea, a New York-based firm, began its smart contract migration called “Wyvern” on February 18, which spreads over a week until February 25. The migration takes care of old, existing passive listings on the Ethereum blockchain.
The company stated that investigations are underway to track the attack’s origin. It must be underscored that victims signed malicious orders before OpenSea began its migration.”The attack no longer seems to be active, but we are continuing to monitor. We have not seen activity from the attacker’s wallet in >36 hours,” OpenSea said in an update.
“Signing a transaction is similar to giving someone permission to access all your NFT’s and cryptocurrencies,” Check Point said. “This is why signing is very dangerous. Pay extra attention to where and when you sign a transaction.”
The development also comes as cybercriminals are exploiting the growth in popularity of NFTs to trick victims into downloading the BitRAT remote access trojan malware that’s capable of stealing browser credentials, mining cryptocurrency, and harvesting sensitive information.