The relatively new world of non-fungible token (NFT) marketplaces has experienced another major breach that raises questions about overall security, as a phishing attack on category leader OpenSea resulted in thefts from over a dozen accounts.
The attackers targeted holders of the “Bored Ape Yacht Club” crypto assets, a series of crude cartoon monkey drawings that are nevertheless among the hottest assets on the blockchain with a current entry price of $242,000 and values that range up to over $1 million.
Leading NFT marketplace hit with phishing campaign
This is far from the first incident of theft for the central NFT marketplace, which launched in late 2017 but did not become a prominent platform until the creation of the Bored Ape series and the corresponding craze for NFTs in mid-2021. This particular incident does not appear to be a code issue or vulnerability, however; the phishing attacks apparently involved unknown threat actors approaching individual users and tricking them into signing a malicious payload with their digital wallet, thereby granting the other party access to it.
OpenSea initially reported that 32 accounts were impacted, but later walked that back on Twitter by saying that many were targeted but only 17 actually fell victim to the phishing attack. It is still not known who the attacker was, but OpenSea declared the campaign over after the threat actor went inactive for 15 hours. The attack took place in the early hours of February 20. All told the attacker is thought to have absconded with $1.7 million in Ethereum after selling off the NFTs.
OpenSea did not release much in the way of details regarding the phishing attack, but the most likely technique (advanced by third party security firms that have analyzed the situation, such as PeckShield) was for the attacker to pose as an OpenSea employee and contact the victim about a supposed security issue with their account. The victim was asked to sign a malicious payload that transferred their NFTs to a new smart contract accessible by the attacker, who then migrated some or all out before disappearing.
OpenSea has emerged as one of the most popular platforms among early entrants into the NFT marketplace, with a valuation of $13.3 billion and now doing over $3 billion in trading volume per month.
Phishing attacks the most common approach for stealing NFTs, but platforms have internal security issues
The NFT marketplace has issued a statement indicating the phishing attack had nothing to do with a platform vulnerability, but OpenSea has had several security issues in the past year. The first major incident took place in October of last year, when researchers with Check Point Security discovered a critical vulnerability that could be triggered by sending a user a malicious NFT. That was patched without any apparent major thefts, but another breach involving the minting of fake “blue chip” NFTs was discovered the following month.
But even before these code issues were discovered, the NFT marketplace found itself in trouble when an employee purchased NFTs that were internally scheduled to be featured in the near future. The employee purchased these in advance, then sold them for elevated prices once the site began to hype them, all the while leaving a trail that went right back to his wallet.
Just prior to this latest phishing attack, there had been something of a rash of isolated Bored Ape thefts dating back to December 2021. These generally involved fraud and deception, the largest of which was a $2.2 million heist of Bored Apes (and related collection Mutant Apes) from a private collector in late December. Another Twitter user going by the name of “iloveponzi” indicated that they had a collection worth millions stolen via scam as well.
OpenSea is now facing a $1 million lawsuit from one of the phished parties. Filed in Texas, a user of the NFT marketplace named Timothy McKimmy claims that one of his Bored Apes was stolen due to a “security vulnerability” that the platform is responsible for. The lawsuit, which claims that the website failed in its “fiduciary duty” by continuing to operate as normal without enhanced security after the phishing campaign was detected, once again highlights the fact that NFTs (and crypto tokens in general) are not regulated and that thefts are generally not reversible. Some legal experts believe that the case will end up in arbitration and will hinge on how state contract law ultimately interprets the transaction.
Launched on the NFT marketplace in late April of 2021, the Bored Ape Yacht Club was fueled by a lineup of celebrities that opted to be early adopters (and pay hundreds of thousands of dollars for their ape): Eminem, Mark Cuban, Jimmy Fallon, Snoop Dogg and Justin Beiber among them. Critics point to the obvious low quality of the art (elements of which are randomly generated) in calling the project an odd and trendy way to flex wealth and status rather than something that has any real intrinsic value.