What We Can Learn from the Attack on OpenSea

The best way to protect against phishing is education and awareness.

Nicole Sanders
Principal Software Engineer, Blockchain Expert

On February 19, 2022, a malicious attacker was able to steal non-fungible tokens (NFTs) worth over 640 ether (ETH) from OpenSea users by way of a phishing attack. Although it was first reported that 32 users were affected, OpenSea now says it was only 17 users

Learn more about the nature of the attack and how future attacks can be prevented.

What is OpenSea?

OpenSea is an American-based, peer-to-peer online NFT trading platform. OpenSea’s marketplace allows NFTs to be sold directly at a fixed price or through auction. Their tokens are based on the Ethereum ERC-721 standard, and OpenSea currently offers cross-blockchain support across Ethereum, Polygon, and Klatyn.

Was OpenSea hacked?

No, this event wasn’t due to an OpenSea hack or vulnerability. The platform fell victim to a phishing attack.

What is a phishing attack?

Phishing is a social engineering attack where a nefarious actor sends a fraudulent message designed to do one or both of the following: 

  • Trick a human victim into revealing sensitive information
  • Deploy malicious software, such as ransomware, on the victim's infrastructure

In OpenSea’s case, the bad actor tricked some owners selling NFTs to click on a link which created a transaction they were asked to sign with their browser-based wallet. 

This transaction actually maliciously retrieved a signature for a token sale, which was used to craft a new transaction, and then later used to send the victim’s NFTs to the thief’s Ethereum address. 

On top of the NFT theft, the corrupt transaction was formed to allow the bad actor to steal the NFTs while the victim’s wallet paid the required transaction fees, known as gas fees.

While the attack was happening, the popular Ethereum block explorer Etherscan went down. It’s unknown if this was due to the increased traffic because of the  investigation into the attack or if it was a calculated attempt to hide the hostile events taking place.

How can users protect themselves against phishing attacks?

The best way to protect against phishing is education and awareness. 

Users of blockchain technology constantly need to be vigilant to protect themselves against a hostile party. Our top two tips are avoiding links in unexpected emails and keeping your seed phrase safe.

Avoid links in unexpected emails

You should never click on a link in an email that you weren’t expecting to receive. These links increasingly are becoming common on platforms such as Telegram, Discord, and Twitter. 

There is often a sense of urgency involved with these messages. Once these links are clicked, you’ll be prompted to sign a transaction from your wallet. This transaction could approve the scammer to transfer your assets to themselves, harvest your signed transaction to be used at a later time, or another act equally as violating.

If you’re aware of this attack vector, you’re much more likely to be critical of these situations and, hopefully, more likely to evade them unscathed.

Keep your seed phrase safe

Some victims are convinced to willingly enter their seed phrase into a wallet or website set up to steal their assets. Your seed phrase is the random list of words that generates the keys to your wallet.

You should never give out your seed phrase unless purposely restoring your wallet on a trusted platform. Your seed phrase should be written down and kept as safe and private as possible.

A glaring issue with the current system of using a browser-based wallet to sign transactions was highlighted during this attack. Often, it’s difficult to verify you’re interacting with the contract you’re expecting. 

Also, when you’re asked to sign a transaction, it’s difficult to see exactly what action you’re agreeing to. You can investigate and view the raw data and function being called, but unless you have deep technical skills and an understanding of the underlying blockchain mechanics, it’s difficult to retrieve more data.

Until the technical growing pains are hammered out, these types of scams deter new cryptocurrency adoption and growth.

Security at TaxBit 

Here at TaxBit, the safety of your data is our top priority. We prove our commitment to security and accuracy by receiving independent attestations. We're deeply invested in infrastructure privacy, never take unnecessary data, and always adhere to best practices to ensure the safety of your information.

TaxBit is independently SOC 2 certified and ISO 27001 compliant

If you’ve discovered, or believe you have discovered, potential security vulnerabilities in the TaxBit product, we encourage you to disclose your discovery to us as quickly as possible.

Get Started Today!

Generate your cryptocurrency tax forms now
Start Free Trial