Web3, the famously decentralised internet technology that has centralised much of the NFT marketplace into a single shopfront (Opensea), woke over the weekend to find that some of its userâs wallets had reportedly been compromised, and loads of precious NFTs stolen.
The alarm was sounded yesterday, when some users began noticing that some NFTsâincluding some Bored Ape Yacht Club and Mutant Ape Yacht Club jpgsâwere missing from their wallets. Aside from the fact it appears to have been the work of a single person (or at least a single account) thatâs all we know for sure at time of posting. How all that stuff went missing, and just how much the heist is âworthâ, are two of the particulars still up in the air.
Opensea co-founder and CEO Devin Finzer says the site is fine, and that âas far as we can tellâ those affected were the victims of a âphishing attackâ
As far as we can tell, this is a phishing attack. We donât believe itâs connected to the OpenSea website. It appears 32 users thus far have signed a malicious payload from an attacker, and some of their NFTs were stolen.
— dfinzer.eth | opensea (@dfinzer) February 20, 2022
Weâre actively working with users whose items were stolen to narrow down a set of common websites that they interacted with that might have been responsible for the malicious signatures. Huge thanks to the users that hopped on the phone with us directly.
— dfinzer.eth | opensea (@dfinzer) February 20, 2022
Other users, though, arenât so sure. Some victims say they never opened any emails, and that the only thing they all had in common was that they had manually migrated their collections to a new smart contract on the platform (a move that was itself implemented because it âfixes an issue with inactive listings that was allowing scammers to swipe valuable NFTs from collectors on OpenSeaâ):
https://twitter.com/embed/status/1495185887625367556
Also unknown is the exact dollar value of what was stolen. While of course itâs impossible to put a definitive pricetag on stolen NFTs, since everybody outside the cult would say theyâre valued at ânothingâ, estimates on the âworthâ of the heist among these dorks range from the ludicrous ($200 million) to much more modest sums (Finzer himself says âThe attacker has $1.7 million of ETH in his wallet from selling some of the stolen NFTsâ). A third possibility is that the attacker actually made off without around $2.9 million, which they were able to do by selling the stolen NFTs on…Opensea.
And this isnât even the wildest part! Somehow, for some reason, the attacker didnât just steal, they also in some instances…gave back? Like Robin Hood, only if Robin Hood had no idea what he was doing. As the wonderful Web 3 Is Going Just Great report:
It was later determined that an attacker had successfully phished 32 OpenSea users into signing a malicious contract, which allowed the attacker to take the NFTs and then flip them. Bizarrely, the hacker returned some of the NFTs to their original owners, and one victim inexplicably received 50 ETH ($130,000) from the attacker as well as some of his stolen NFTs back.
Remember: the entire point of the blockchain, as the cultâs acolytes will only too gladly tell you, is that itâs immovable and eternal, and that everything that happens leaves an immutable mark. Shit like this isnât supposed to happen, because the blockchain is so much secure than the existing internet!
And yet! Here we are. With users either falling for a phishing attack like your grandparents trying to score a cheap flight to Florida on Facebook, or being the victims of a basic site vulnerability on one of the most centralised locations on a supposedly decentralised technology.
While weâre on the subject, if the words âOpenseaâ and âart theftâ ring a bell, it might be because of reports from various outletsâlike this one, from The Guardian last monthâdetailing the practice of bots stealing work from sites like DeviantArt and selling it on Opensea without the artistâs knowledge or permission.