A threat actor has made over $2m from customers of OpenSea after launching a well-timed phishing attack against the marketplace for non-fungible tokens (NFTs).
Check Point researchers said the attack happened a few days ago when OpenSea published an article about an upcoming contract upgrade.
Users were required to “migrate” their listings on Ethereum to a new smart contract and were sent an email explaining what to do.
This was when the fraudster stepped in, spoofing a similar email with a malicious link which took them to a convincing-looking phishing page. This asked the user to sign a transaction.
“By signing the transaction, an atomicMatch request would be sent to the attacker contract, which he created a month ago prior to the attack,” Check Point explained.
“From there, the atomicMatch_ would be forwarded to the OpenSea contract. AtomicMatch in OpenSea is responsible for all the trading on OpenSea with minimal trust. Atomic means that the transaction will only take place if all the parameters of the transaction are met. And this is how all the NFTs are moving around accounts at OpenSea.”
In this way, the attacker was able to steal a victim’s entire NFTs on the site via just one transaction.
According to the researchers, the attacker’s cryptocurrency wallet has over $2m worth of Ethereum in it from selling some of the stolen NFTs.
“It was not long ago that the only people buying crypto were ‘techies’ who knew to keep their wallets locked in safes on flash drives. Today, however, almost anyone can buy crypto and NFTs in minutes. The result is that the average user is buying NFTs, heavily advertising their ownership of the valuable asset online and making it all too easy for attackers to launch targeted phishing attacks against them,” argued Magni Reynir Sigurðsson, senior manager of detection technologies at Cyren.
“Luckily, you can protect yourself from NFT-specific phishing attacks in the same way you can other phishing campaigns. Such attacks usually start with a phishing email or SMS message. So, be sure to scrutinize the sender, the URL in the message and any included attachment, to verify the legitimacy of the message.”