Security on decentralised cryptocurrency exchanges is under the spotlight as a major non-fungible token (NFT) exchange was hit by an attack that saw the equivalent of $1.7m (£1.2m, €1.5m) stolen during the weekend.
Users of OpenSea, one of the crypto world’s largest NFT marketplaces, was hit by a phishing attack that resulted in NFTs being stolen from certain users of the exchange.
NFTs are unique, non-tradeable ownership receipts for digital assets that are tracked on a specific blockchain (such as ethereum [ETH]) to prove authenticity. They can take the form of a static image, video clip or an animated 3D image.
OpenSea investigated the attack, which it found to be a phishing attack that originated from outside the marketplace.
OpenSea CEO and co-founder Devin Finzer confirmed on Twitter that the attack was not connected to the OpenSea website itself, but involved targeted emails to OpenSea users.
“As far as we can tell, this is a phishing attack. We don’t believe it’s connected to the OpenSea website,” Finzer said on Twitter.
In a subsequent Tweet, OpenSea had narrowed down the impacted user accounts to 17 from 32.
Phishing is a form of online fraud where criminals pretend to be a trusted party (such as a bank or senior company executive) and ask a targeted individual for passwords or other key information online.
With more money flowing into digital assets such as cryptocurrencies and NFTs, interest from unfriendly elements and criminal entities has risen.
Also, there are few protections in place for investors as financial regulators have yet to extend their powers into the cryptocurrency space.
“As the total value locked in [decentralised finance] climbs to ever-greater all-time highs – $256bn at last peak – so too does the risk of exploitation,” Chainalysis said.
What is your sentiment on ETH/USD?
Seven of the 10 largest crypto thefts last year, representing a haul estimated at over $1bn, were carried out on crypto exchanges, Chainalysis found.
“If there’s one takeaway from the meteoric rise of thefts from [decentralised finance] platforms, it’s the need for smart-contract security and price-oracle accuracy. Code audits, decentralised oracle providers and an altogether more rigorous approach to platform security could be the ideal means to that end,” the data firm said.
OpenSea chief trade officer Nadav Hollander explained the recent hack in detail on Twitter.
Hollander said: “All of the malicious orders contain valid signatures from the affected users, indicating that they did sign an order somewhere, at some point in time. However, none of these orders were broadcasted to OpenSea at the time of signing.”
It appears OpenSea users received emails that looked like genuine OpenSea Community Updates inviting customers to migrate their ethereum (ETH) listings to a new smart contract, an automated blockchain programme that runs when pre-defined conditions are met.
As OpenSea introduced its own legitimate smart contract one day prior to the attack, the phishing email may have taken advantage of this change.
OpenSea could not be reached for comment directly as it does not employ a media team and has no direct email contact address to send press enquiries.