- Criminals spoofed emails that were part of a planned upgrade to trick users into transferring their non-fungible token (NFTs).
- $1.7 million was stolen from around 17 users in what appears to have been a phishing attack.
- Report shows wash trading and money laundering are also increasing in the NFT market.
Phishing attacks are increasingly sophisticated. Find out how to protect yourself.
The world's largest NFT marketplace, OpenSea, was hit by a $1.7 million phishing attack last weekend. The hackers took advantage of a planned upgrade to trick users into essentially signing a blank NFT check. OpenSea says the attack no longer appears to be active.
NFTs are essentially digital certificates of ownership for all kinds of items, such as art, sports collectibles, music, and much more. The NFT industry is booming, but unfortunately so is NFT crime.
Details of OpenSea's phishing attack
Approximately 250 tokens were stolen from 17 affected users in the attack. OpenSea originally thought 32 people had been hit, but later amended that 15 people had interacted with the phisher but not lost NFTs.
It still isn't clear exactly how the attackers were able to carry out the scam. At the time, OpenSea tweeted, "This appears to be a phishing attack originating outside of OpenSea's website."
It looks like the hacker duplicated an email sent to OpenSea users about the upgrade and directed them to a fake webpage. There, they were asked to sign what looked like a legitimate contract to migrate their NFT over to the new system. Given that users were expecting to receive an email from OpenSea about the migration, they were less likely to notice the spoof.
This is not the first time OpenSea's platform has been hit by criminals. In January, hackers exploited a flaw in the platform's code to buy NFTs for significantly less than their market value -- profiting by around $1.8 million. OpenSea reimbursed the affected users.
NFT crime is on the rise
A recent report from Chainalysis showed the NFT market was worth at least $44.2 billion in 2021 -- up from $106 million the year before. The crypto analytics company tracked NFT trading on the Ethereum (ETH) blockchain. Ethereum is the most popular network for NFTs, but other platforms such as Solana (SOL) and Tezos (XTZ) are starting to gain traction.
Chainalysis highlighted two forms of illicit activity in the NFT industry:
- Wash trading. This is a form of market manipulation where the same person buys and sells the same NFT to push the price up.
- Money laundering. Chainalysis points out that money laundering has long been an issue in the art world and is now a "small but visible" part of the NFT industry.
Protect yourself against phishing attacks
Phishing attacks like the recent OpenSea one above can be extremely sophisticated. Phishing is an increasingly common type of fraud in which attackers use fake emails or other forms of communication to trick people into giving away sensitive information. The attacker may direct you to a fake website, or attempt to get you to reply to the email or caller and share your information.
Phishers pose as a trusted source, such as your bank or cryptocurrency exchange, and use the data they steal to access your accounts. In some cases, phishers have managed to hijack company computer networks.
Here are some ways to guard against phishing attacks:
- Be alert. Legitimate companies won't ask you to share your password or other sensitive data by email or over the phone.
- Look at the details. Phishing emails often come from an email address that is similar, but not the same as the real source. The details are usually slightly off: A url might be slightly misspelled or the email might be addressed to something generic like "Hi dear" instead of your name. These are all tell-tale signs of a phisher.
- Be wary of clicking on links or attachments. Attachments can contain viruses and malware and the link may not take you to the real site. Bookmark important websites and use your saved links.
- Keep your malware and antivirus software up to date. Antivirus software can't stop phishing attacks, but it will protect you against known viruses and malware.
- Set up multi-factor authentication. Enabling two-factor or multi-factor authentication on your accounts means you'll have to provide extra information each time you log on. For example, you might install Google Authenticator on your phone and enter the code in addition to your username and password. This makes it harder for hackers to gain access.
Unfortunately, new technologies like NFTs and cryptocurrency attract criminals who seek to exploit any loopholes in these fast-moving industries.
Buy and sell cryptocurrencies on an expert picked exchange
There are hundreds of platforms around the world that are waiting to give you access to thousands of cryptocurrencies. Our experts have done the research to pick out the select few top crypto exchanges today.
To help you get started, we're sharing one of our expert's top picks for free -- simply click here to start your crypto journey today.
Our Research Expert
We're firm believers in the Golden Rule, which is why editorial opinions are ours alone and have not been previously reviewed, approved, or endorsed by included advertisers. The Ascent does not cover all offers on the market. Editorial content from The Ascent is separate from The Motley Fool editorial content and is created by a different analyst team.
Emma Newbery owns Ethereum, Solana and Tezos.
The Ascent is a Motley Fool service that rates and reviews essential products for your everyday money matters.
Copyright © 2018 - 2023 The Ascent. All rights reserved.