CertiK Logo
CertiK Logo
Products
Company
incident-response
Back to all stories
Analysis Reports
OpenSea Phishing Incident Analysis
12/10/2022
OpenSea Phishing Incident Analysis

Introduction

Back in February 2022, OpenSea users were targeted by an elaborate phishing attack through emails that tricked users into signing permissions with a malicious contract. In total, 28 wallets had NFTs stolen that were worth $2 million making it the second most profitable NFT phishing attack in 2022, just behind the Bored Ape Yacht Club (BAYC) Instagram compromise in April 2022.

Event Summary

On 20 February 2022, multiple OpenSea users realized that their NFTs were being transferred out of their wallets and into the wallet of an unknown user. As far as the victims were aware, they hadn’t signed any permissions allowing for the transfer of NFTs. This was particularly concerning considering OpenSea had recently updated the community that they had to migrate their listings.

Screenshot 2022-12-06 at 12.27.43

Users became suspicious that perhaps the new Wyvern 2.3 contract contained a vulnerability, or there may have been a compromise on OpenSea’s main website. However, as only a few individuals were affected those suspicions shifted to a more targeted approach against specific victims. It soon became clear that a phishing email had been sent to multiple victims.

Screenshot 2022-12-06 at 12.19.48

An email from OpenSea advising on migrating listings wasn’t necessarily an unexpected communication to receive. This was a relatively sophisticated phishing campaign as it not only created a sense of urgency within the reader, common among many phishing scams, but it also contained a direct copy/paste text from OpenSea’s Tweet.

Clicking on the link in an email presented the victim with a phishing site, further prompting them to sign an approval which then allowed the attacker to transfer NFTs out of the victims' wallet.

On Chain Analysis

When signing the aforementioned approval, the victims send an AtomicMatch request to the hacker's malicious contract. From there, the AtomicMatch is sent to the Wyvern Exchange contract, confirming the legitimacy of the signed owner’s approval to transfer the NFT. The NFT is then transferred to the exploiters wallet for 0 ETH.

Screenshot 2022-12-06 at 14.04.14

In total, 28 EOAs fell victim to this phishing exploit. A few examples of valuable NFTs stolen were the 2x BAYC and 3x Mutant Ape Yacht Club NFTs. The full list can be seen in the appendix below.

In total, the malicious actor deposited 1105 ETH into Tornado Cash, worth approximately $2.7 million at the time.

OpenSea Warns Users of Future Phishing Attempts

In August, OpenSea issued a warning to its users to be on the lookout for potential phishing emails following a data leak. The NFT exchange detailed that an employee at customer.io misused their company access to download OpenSea users emails which were used by customers to sign up for OpenSea’s newsletter. Due to the phishing attack in February, OpenSea were prepared to inform their users of potential phishing emails promptly.

In late August, an email was sent to OpenSea customers prompting them to recover their MetaMask account by entering their seed phrase. The site mimicked the MetaMask plug-in which was evident by opening the legitimate extension.

Screenshot 2022-12-07 at 10.38.31

This is a slightly different method of phishing as it is attempting to farm seed phrases. In the February attack, the hacker did not attempt to compromise a victim's seed phrase but instead tricked the victim into signing permissions allowing for the transfer of NFTs to the exploiter. The important takeaway here is that there are two types of phishing attacks in Web3.

  1. Classic phishing - Getting a user to send funds to or trick them in to giving away private keys / seed phrases
  2. Ice phishing - Trick a victim into giving a malicious actor approval to transfer assets by signing a transaction.

The OpenSea phishing attack in February falls under the second category and was one of the main methods used to steal users NFTs.

NFTs & Phishing

NFTs have been an attractive target for scammers this year with persistent threat actors targeting projects Discord servers. So far in 2022, we have detected over 730 Discord compromises that have targeted NFT holders. The vast majority of exploits tricked users into signing approvals allowing the attacker to transfer NFTs from the victims to the exploiter.

Screenshot 2022-12-06 at 16.14.36

ncidents of this sort decreased dramatically after detailed investigations uncovered the threat actor responsible for the majority of these compromises. You can read more about the connections between these hacks in our detailed analysis.

Conclusion

NFT holders were a lucrative target for illicit actors in 2022. Users need to be aware that their wallets do not necessarily have to be compromised for their assets to be stolen. In the case of the OpenSea phishing attack, and the majority of phishing attacks, the victims have been tricked in to signing approvals to the attacker. This is why NFT holders need to take special care in verifying that communications are from trusted sources. By following @CertiKAlert on Twitter, you’ll be the first to be alerted on compromises in the NFT space to better help you understand the threats that are out there.

Appendix

List of phished NFTs stolen in the OpenSea phishing attack.

OpenSea-Phishing-WIP-QRT-Quick-Reaction-Team-CertiK-Confluence