NFT marketplace OpenSea experienced a phishing attack that stole several NFTs worth several Ethereum.
Only 17 users lost tokens—254 of them, to be exact, estimated to be worth a collective $1.7 million value.
NFTs, or non-fungible tokens, have surged in popularity over the past year.
However, the crypto space is filled with new investors, many of whom do not know the best ways to keep their assets protected.
In this blog, we’ll briefly breakdown how the hack happened and some of the practical ways to make sure your JPEGs are protected.
Verify All Emails!
The whole madness started with a simple email – a phishing attempt.
Phishing is a type of online scam where hackers impersonate legitimate organizations via email, text message, or other means to steal sensitive information.
Phishing emails often tell a story to trick investors into clicking on a link or opening an attachment.
In this case, the OpenSea Hackers sent out an email that explained OpenSea would be moving to a new system.
The email would ask users to migrate their listings to the new system, so they could keep their NFTs secure.
When careless investors clicked the link, they unwittingly gave hackers the ability to transfer ownership of any asset they wanted from the victim’s wallet.
When dealing with crypto, it’s important to take all emails you receive with caution. If you get an email asking you to fix an issue with your account, log into your account with a separate tab.
Check the sender of the email. Check the sender address – most of the time the scammer will be using a bunch of random numbers and characters.
A phishing scam will not use personal details such as first and last names. Sometimes spam emails will address others as Mr. and Mrs./Miss or just start as “Hello”.
Also, the phishing attempt may be grammatically incorrect and contain spelling errors.
Keys and Passwords
Never share your seed phrase or private key to your crypto wallet. No one should ever ask you for a key to your wallet during an NFT transaction. If they do, log off immediately!
If a hacker has access to that seed phrase or key, they can take your NFTs without any intrusion necessary.
Your seed phrase should never be stored online. Whether it is a text file, PDF, or JPG, a hacker can find your seed phrase if it’s on the internet.
When setting up an account on OpenSea or any other NFT marketplace, you also want to make sure that your password is as secure as possible.
Passwords need to be lengthy – anywhere between 12 and 16 characters. A secure password should include numbers and symbols, as well as upper and lower-case characters.
In some cases, a strong password may not be enough. Thankfully, most exchanges require some sort of multi-factor authentication.
When using multi-factor, be sure to have your apps installed on at least two devices. Putting the app on two devices will ensure you have a backup if you lose your primary phone.
Unlink your NFT Wallets!
Before buying any NFTs from a marketplace or website, the website will usually ask you to link your NFT wallet – Metamask being the most popular.
This is where investors must be careful. It can be dangerous to leave your wallet signed into an exchange or website.
It may be convenient to keep it up, so you don’t miss the next drop, but it opens the door for hackers to have easy access.
When you are finished buying your JPEGs, unlink your wallet from the exchange or site.
It only takes a matter of seconds to re-link it if you ever need to access it again.
How Good is your NFT’s Grift?
Popular NFT projects are extremely active on Twitter and Discord. The community is very engaging, and they interact with their investors.
On the other hand, hackers know that Twitter and Discord is popular place for NFTs and will try to take advantage of this.
Once you start engaging with NFT projects on Twitter or Discord, expect a flood of DMs! They will almost always introduce a new project that’s either brand new or like the one you’ve heard of.
The “link” to their Discord channel or website is a scam; it is designed to trick users into linking their wallets.
The best way to deal with these potential phishing scams is to block the message immediately. If you think it might be legitimate, open the site on your own with a new tab.
If you are uncertain if an NFT is a scam or not, look at their following. Check if they have an active Discord (users, how many are online, etc.).
If no one’s engaging in the project, it could be a scam.
The best NFT projects also have someone noteworthy grifting off it to drive engagement. A verified account on Twitter will probably change their profile picture to NFT they own.
The quick rise of the NFT space has made it easier for hackers to lure new investors. Many people get into the space with dreams of buying a JPEG, hoping they can flip it for 100x gains.
Hackers are crafting new phishing techniques over time as the NFT crypto space grows. They hope that investors forget the fundamentals of trying to get rich quickly.
You can prevent these attacks on investments by slowing the buying process down. Don’t trust, verify!
PS: Another dead give away that investors missed in the OpenSea hack: the email said the transactions would be "gas free". If there's one thing that purchasing NFTs with Ethereum have, it's gas fees!