Millions of Dollars in NFTs Phished from OpenSea Users

In an incident that should come as no surprise to anyone following the wild surge in popularity of non-fungible tokens, a malicious actor managed to steal around $2 million worth of NFTs from users of the OpenSea NFT marketplace in a well-timed phishing attack.

OpenSea bills itself as the biggest NFT marketplace in the world. The platform offers a peer-to-peer marketplace for the exchange of non-fungible tokens or NFTs. The platform was starting the process of updating in order to deal with the inactive listings of tokens. This update required user action and contract migration, so OpenSea sent out detailed instructions to users, explaining what needs to be done on part of the user.

Phishing at the Right Time

However, the threat actor behind the phishing attack acted fast and sent out phishing emails to OpenSea users. The bait was tailored to look almost the same as the original message sent by the OpenSea platform, with the exception of the malicious links contained in the phishing emails.

The bad link redirects victims to a specifically doctored phishing page that looks almost the same as the page used by OpenSea, but the malicious page also tells users to enable "smart contract data" and "blind signing" - text that is absent on the official OpenSea page.

Attacker Came Prepared

The attacker behind the phishing campaign had set up a contract roughly a month before the attack. Once victims sign the malicious transaction on the phishing page, they send an atomicMatch_ request to the threat actor's contract. The atomicMatch_ request is used by OpenSea to authorize transactions only if all parameters of the exchange are satisfied.

According to the cyber security team with Check Point who published a post on the attack, the threat actor managed to quickly resell the NFTs stolen in the attack and make around $2 million in the process.

This attack only shows that the more financially-oriented digital venues are made available, the more attack surface and attack vectors will be presented to threat actors as well. One would almost think that anyone dealing with NFTs would be sufficiently tech-savvy to spot the bad link and the phishing email, but seeing how $2 million worth of NFTs were stolen, this doesn't seem to be the case.