Over the weekend, a hacker stole some of the highest-value NFTs straight out of their owners’ wallets. For IRL, Josie Adams reports on how this might have happened.
The world of NFTs has been plagued by accusations of theft since 2020, when it hit the mainstream. HitPiece listed entire albums for sale without asking the musicians for permission. New Zealand musician Leaping Tiger had his album artwork stolen. To the untrained eye, a lot of NFTs appear to plagiarise the art style of Gorillaz illustrator Jamie Hewlett.
Now, it’s the NFTs themselves that have been stolen.
On Saturday afternoon, millions of dollars’ worth of NFTs were taken out of their owners’ wallets, in broad weblight. It’s thought 32 unlucky users of OpenSea, an online platform for selling and storing NFTs, were involved in a phishing attack that ultimately stole almost 250 NFTs, many of which were resold – on OpenSea itself – for as much as NZ$4.4 million. Although what happened is unfortunate, the transparency of blockchain transactions means everyone can see what was stolen, when it was stolen, and from who.
The NFTs targeted were from large, high-profile collections: the Bored/Mutant Apes, a collection of 10,000 illustrations of monkeys worth up to $4.3 million each, were a prime target. Other stolen NFTs included the multi-million-dollar anime-styled Azuki collection, and the NFTs of metaverse avatar designers Clone X.
Weirdly, the mysterious attacker sent $194,000 to one of their victims, alongside some of his stolen NFTs. One user received all their stolen NFTs back bar one, Bored Ape Yacht Club #1277. The thief, or possibly thieves, returned a few more NFTs to their original owners. You could have called it a Robin Hood scheme if they’d given any money to the poor.
February 19 started off as a normal day; OpenSea sent out a message asking its users to upgrade to a new smart contract; a blockchain program that automatically executes agreements between buyers and sellers. Upgrading would allow users to continue trading smoothly via OpenSea. It’s speculated, but unconfirmed, that the hacker created a fake version of this upgrade page; when people signed it, they let the hacker in. By Saturday evening, OpenSea had placed a banner on its website warning users about an apparent phishing attack. “Do not click links outside of opensea.io,” it said.
The stolen NFTs remain on the platform, but have a red banner above them: “Reported for suspicious activity,” it reads. These NFTs cannot be bought, sold, or transferred; they’re locked in place. Next steps are uncertain; OpenSea co-founder Devin Finzer is focussed on what on earth happened. The company has ruled out signing the new smart contract, interacting with an email from OpenSea, and minting, buying, selling, or listing items as vectors for the attack. The investigation, he says, is ongoing.
The phishing attack only targeted a select few types of NFT, none of which are created by New Zealanders. However, plenty of us – both artists and collectors alike – use the platform. One photographer who sells and stores her work as NFTs on several platforms, including OpenSea, says she wasn’t affected by the hack. “I didn’t click the email or interact with any of the links,” she told the Spinoff. “I’m super duper careful in the space. [You] really need to be.”
Another NFT artist called the hack “the users’ fuckup”. “Funking stupids,” he told the Spinoff. “It’s not like you have ten million on the line.”
OpenSea is one of the largest NFT marketplaces, and is backed by none other than Punk’d entrepreneur Ashton Kutcher. In January, it was valued at $19.8 billion. Just a few weeks later, a bug in the platform allowed hackers to buy NFTs at their old prices and resell them at their current value. They made around $1.5 million by exploiting the bug.
We wish all OpenSea users a hack-free March.