Lightning strikes twice: A strange sequence of losses for NFT holders
NFT holders transacting on leading NFT platform Opensea have suffered two connected hacks in the last four weeks draining millions of dollars worth of NFTs and Ethereum from the wallets of users.
Sunday 22nd January 2022 —The Beginning of Hack #2
A hacker creates a malevolent smart contract 945bD that is programmed to drain money (ETH) and NFTs from any Opensea NFT holders that interact with it. With part one of their plan completed, the hackers leave the contract alone and do nothing further with it until Feb 19th 2022.
Monday 24th Jan 2022 — Hack #1 Loophole
Hackers discover a loophole in Opensea’s platform that provides a way to purchase high value NFT’s at their old listing price.
Thurs 27th Jan 2022 — Hack #1 User Fix
Opensea announces a user fix to the exploit for NFT account holders to cancel their inactive listings. Tragically, some Opensea users who cancel their listings find their NFT sells at an even lower price due to an older inactive listing still existing for the same asset.
Friday 28th Jan 2022 — Hack #1 Reimburse
Opensea reimburses users whose NFT’s sold below market price as a result of the exploit. Total amount of reimbursement estimated at $1.8 Million dollars USD.
10.06am — Thurs 17th Feb 2022 — Opensea announces smart contract upgrade
Opensea publically announces an upgrade to their smart contract to remove the inactive listings problem from their platform that led to the 24th Jan exploit.
11.44am Thurs 17th Feb 2022 — Hack #2 Phishing email 1
Somehow, hackers get hold of Opensea account holder email addresses and send a “primer” email asking users to prepare for the Opensea Smart Contract Upgrade that was publically announced only 1 hour and 38 minutes prior.
This email doesn’t phish. It is sent to Openseas’ users to make them believe they are really receiving the information from Opensea and preparing them for the next “Get Started” Phishing email. The support email address included, contract.upgrade@opensea.io, is the real Opensea support email address for the contact upgrade.
8.20am Sat 19th Feb 2022 — Hack #2 Phishing email 2
Hackers send the second Phishing email. When users click on the “Get Started” button they are prompted to an approval window for a Wyvern Exchange contract authorisation. Wyvern is the same exchange protocol that is used by Opensea.
Thinking everything is in order, users click to authorise approval and unknowingly give the hackers approval to drain their wallets of all of their crypto and NFTs. As the approval authorisations stream in, the hackers begin scanning the wallets looking for the ones containing highest value NFT’s.
9.57pm Sat 19th Feb 2022 — Hack #2 Malevolent Contract Enacted
Hackers enact the malevolent hacking contract and commence the drain funds and sell NFTs using the following wallet.
Over the next 24 hours they sell a large number of high value NFT’s including more than 70 Azukis, 10 BAYCs, 15 Boss Beauties and many others including Doodles, MAYC and crypto from user wallets netting them, at a conservative estimate, at least $2.5 million of dollars in ETH. The hackers then use the tornado cash platform to launder their ETH proceeds from the sales.
Summary
Even though these two hacking events are noticeably different, one an Opensea code loophole exploited by hackers and the other a phishing hack directed to users of the Opensea platform. They are tied together because the Smart Contract upgrade announced by Opensea to fix Hack 1 inadvertently provided the hackers with a legitimate cover to disguise their phishing (Hack 2) that occurred later in February.
When one reviews the chronology of events a number of concerning irregularities and questions remain:
- How were the hackers in Hack 2 able to prepare their hacking smart contract so far in advance? Before Hack 1 and nearly 4 weeks before Opensea publicly announced the smart contract upgrade that the Hack 2 malevolent scheme depended on?
- How were the hackers in Hack 2 able to acquire email addresses of Opensea’s users?
- How were the hackers in Hack 2 able to send out their first phishing email “Opensea smart contract upgrade” to Opensea user addresses within 1 hour and 38 mins after the official Opeansea public announcement of the smart contract upgrade?
