Web3, the famously decentralised internet technology that has centralised much of the NFT marketplace into a single shopfront (Opensea), woke over the weekend to find that some of its user’s wallets had reportedly been compromised, and loads of precious NFTs stolen.
The alarm was sounded yesterday, when some users began noticing that some NFTs — including some Bored Ape Yacht Club and Mutant Ape Yacht Club jpgs — were missing from their wallets. Aside from the fact it appears to have been the work of a single person (or at least a single account) that’s all we know for sure at time of posting. How all that stuff went missing, and just how much the heist is “worth”, are two of the particulars still up in the air.
Opensea co-founder and CEO Devin Finzer says the site is fine, and that “as far as we can tell” those affected were the victims of a “phishing attack”
As far as we can tell, this is a phishing attack. We don’t believe it’s connected to the OpenSea website. It appears 32 users thus far have signed a malicious payload from an attacker, and some of their NFTs were stolen.
— Devin Finzer (dfinzer.eth) (@dfinzer) February 20, 2022
Other users, though, aren’t so sure. Some victims say they never opened any emails, and that the only thing they all had in common was that they had manually migrated their collections to a new smart contract on the platform (a move that was itself implemented because it “fixes an issue with inactive listings that was allowing scammers to swipe valuable NFTs from collectors on OpenSea”):
HEY EVERYONE. I CONNECTED WITH A FEW OTHER PEOPLE WHO GOT HACKED JUST NOW.
ALL OF US ONLY HAVE ONE THING IN COMMON.
ALL OF OUR STOLEN NFT’S WERE ONES WE MANUALLY MIGRATED ON OPENSEA. @opensea you have so much explaining to do now.— AlabasterJefferson (@AJFromDiscord) February 19, 2022
Also unknown is the exact dollar value of what was stolen. While of course it’s impossible to put a definitive pricetag on stolen NFTs, since everybody outside the cult would say they’re valued at “nothing”, estimates on the “worth” of the heist among these dorks range from the ludicrous ($US200 ($278) million) to much more modest sums (Finzer himself says “The attacker has $US1.7 ($2) million of ETH in his wallet from selling some of the stolen NFTs”). A third possibility is that the attacker actually made off without around $US2.9 ($4) million, which they were able to do by selling the stolen NFTs on…Opensea.
And this isn’t even the wildest part! Somehow, for some reason, the attacker didn’t just steal, they also in some instances…gave back? Like Robin Hood, only if Robin Hood had no idea what he was doing. As the wonderful Web 3 Is Going Just Great report:
It was later determined that an attacker had successfully phished 32 OpenSea users into signing a malicious contract, which allowed the attacker to take the NFTs and then flip them. Bizarrely, the hacker returned some of the NFTs to their original owners, and one victim inexplicably received 50 ETH ($US130,000 ($180,466)) from the attacker as well as some of his stolen NFTs back.
Remember: the entire point of the blockchain, as the cult’s acolytes will only too gladly tell you, is that it’s immovable and eternal, and that everything that happens leaves an immutable mark. Shit like this isn’t supposed to happen, because the blockchain is so much secure than the existing internet!
And yet! Here we are. With users either falling for a phishing attack like your grandparents trying to score a cheap flight to Florida on Facebook, or being the victims of a basic site vulnerability on one of the most centralised locations on a supposedly decentralised technology. Kill me.
Leave a Reply