All you need to know about OpenSea's alleged hack

Social media posts on Sunday alleged that non-fungible token (NFT) marketplace OpenSea was hacked, compromising assets worth $200 million. However, chief executive Devin Finzer has rejected the claims. Mint explains the incident: 

What exactly happened?  

According to Finzer, this was a phishing attack that was targeted at users of OpenSea and not the marketplace. The targeted users were sent a phishing email in the name of OpenSea with a malicious payload (malware). The attacker is believed to have exploited the short deadline given by the platform to its users to migrate their listed NFTs from Ethereum to a new smart contract. The objective of the exercise was to delist inactive NFTs. So far, 32 users have fallen for the phishing scam and downloaded the malicious payload, allowing the attacker access to their Ethereum wallets and NFTs on it. 

How can a platform hack affect NFTs? 

Though in this case the market-place wasn’t directly targeted, the risk of a breach on such platforms can’t be ruled out as they are not entirely foolproof. For instance, in October 2021, cybersecurity firm CheckPoint flagged a vulnerability in OpenSea that allowed attackers to create a malicious NFT and send it as a gift to targeted users. The NFT would request users for permission to connect to the wallet for the transfer of ownership and gain access to the wallet. The listing of stolen and copied artwork of high-profile artists on NFT marketplaces is rampant. Most of these platforms do not have a process to verify the artwork. 

How to avoid falling for NFT scams? 

In one of his Twitter posts, Finzer urged users to always ensure they are interacting with https://opensea.io when they sign messages. Using fake versions of a real platform’s web address is a very common tactic used by attackers to redirect users to malicious web pages that look genuine. Fraudsters are also using pump-and-dump schemes to float fake NFTs and then disappear with the cryptos spent by users to buy NFTs. Users should be wary of new platforms and NFT drops that seem too good to be true. 

How are identity issues on Web3 resolved?  

The premise of NFT is to establish proof of ownership of a digital asset that can be anything from property to artwork or music stored on a blockchain platform. When a digital asset is tokenized as NFT, a unique code is generated and stored on the blockchain network. This can be used to identify the creator as well as the future and past owners. However, in case of a scam or a data breach, identifying the attacker can be difficult as crypto wallets are built on the principle of anonymity and do not seek know your customer details.