In mid-February, the cybercriminals took advantage of a contract migration process on the NFT OpenSea platform to launch their phishing attack.
Here is the comment of Julien Escribe, partner and expert in information systems management at ISG, a global consulting and technology research firm:
The NFT is a complex term to understand, whether in English (non-fungible token) or in French (non-fungible token). Those who had made the effort to understand blockchain technologies and its first concrete implementations such as crypto-currencies had to make the effort to understand this new concept.
The NFT represents an advance in cryptography in the world of art and culture, by allowing artists to monetize their digital creations, in a secure, traceable and inalienable way. Ownership of these assets is recorded on a blockchain, a digital ledger similar to the networks that underpin bitcoin and other cryptocurrencies. However, unlike most currencies, a person cannot exchange one NFT for another as they would with dollars or other assets. Each NFT is unique and acts as a collector’s item that cannot be reproduced, making them rare in nature.
Around this concept of democratization of blockchain technologies, the market is developing and digital marketplaces such as OpenSea have made a place for themselves in the sun…
On 27/02/2022, a large number of OpenSea users discovered that their accounts had been hacked. Rumors initially pointed to a 0 million theft from NFT.
In the days that followed, the hack was confirmed to be much lower than expected. Only 17 users lost tokens – 254 of them, to be exact, with an estimated collective value of $1.7 million. Although initially thought to be a hack that compromised OpenSea itself, the theft was determined to be from a phishing attack that involved using emails to spread malicious links presented as coming from legitimate sources. OpenSea is currently updating its SmartContracts system. The hackers seem to have taken advantage of these circumstances by using Wyvern, the open source protocol used for sales contracts, during an operation to migrate NFTs to a new contract, a step during which data vulnerability and the need for a high level of security are increased.
Legal actions are underway against OpenSea following this incident. The sums involved are far from negligible.
Beyond the scope of this event and its interest in understanding the NFT ecosystem, several questions should be asked :
- Phishing is the most common cyber attack, which is why the demand for cyber security services is exploding. Companies are increasing their investments, but are all the supports worth it?
- What are the legal protections around these NFT transactions, which may also be of interest to large companies?
- How to ensure that companies master these crypto and blockchain technologies, which are supposed to be secure, but which still leave openings for hackers, especially in their peripheral systems?