Hackers Are Now Trying To Steal Crypto Via Malicious NFTs
Non-fungible tokens, NFTs, are digital assets that connect ownership to real-world items or objects such as art, music, videos, etc.
Though they function with the same blockchain technology as cryptocurrencies, they are not currencies. NFTs are highly speculative and usually sell for millions. However, not every investor should desire them.
Ranging from popular memes to pixel cartoons, the popularity of non-fungible tokens has been skyrocketing recently. Unfortunately, this move is not left without attacks of exploitation.
The Check Point Research (CPR) report on Wednesday reveals the hacking of users’ accounts in the OpenSea NFT marketplace. Some errors in the protocol’s NFT led to the theft of all the users’ crypto wallets and the transfer of malicious NFTs.
An investigation is set to be launched following the reports. It will cover the free airdropping of the malicious NFTs used as outlets for account hacking and cryptocurrency theft.
Hackers Targeting NFTs To Carry-Out Nefarious Activities
The source of the problem was not just the NFT and the airdrop. However, by releasing an NFT to a victim, they will see it. Then, there comes a follow-up message that demands a signature for connecting to a wallet.
Furthermore, a prompting request for a secondary signature will come up. If the user accepts it, the hackers will access the unsuspecting user’s wallet and funds.
For OpenSea’s situation, the security error empowered the protocol team to upload an SVG file containing a malicious payload. This upload will operate from the Opensea storage subdomain.
Commenting on the situation, the CPR said after clicking on an image from a third party, users were asked to sign using their wallet. It mentioned that such a request was far from the usual routine on OpenSea. This is because it’s pretty different from the services OpenSea offers, such as purchasing or favoriting an item and making offers.
Nevertheless, most users might be lured into approving the connection. The reason is that the transaction operation domain comes from OpenSea, and it’s possibly what is obtainable in other NFT operations.
On September 26, the CPR team revealed to OpenSea all its findings. This ensured a swift move for the marketplace within an hour to prioritize and verify the security flaws and propose a solution.
Conclusively, OpenSea put up a public statement expressing its appreciation to the CPR team for drawing their attention to the loophole. Also, it acknowledges the efforts of the teams in joining them during the investigation and implementation of a solution within an hour.
OpenSea mentioned that the attacks depended on users’ approvals for malicious activities via third-party wallet providers. Thus, there’s the possibility of users linking their wallets and authorizing malicious transactions.Source