OpenSea phishing scam prompts lawsuit from Big Ape owner
It had to happen at some point. The explosion of the NFT (non-fungible token) marketplace has brought hundreds of thousands of new crypto enthusiasts and their assets into the digital coin universe. Unfortunately, bad actors came along with them. The two groups collided in a phishing attack on OpenSea that resulted in millions being wiped out of NFT owners accounts and a million-dollar lawsuit from a victimized Bored Ape owner.
So, what exactly happened? Reports vary, but the general gist of the incident is that some owners took the bait offered in a phishing scam and the next thing they knew, their six-figure NFT was sold right under their nose for pennies. That’s right, pennies.
Theblockcrypto summarized the scam as a listing bug: “The listing bug happened when users moved their NFTs from their wallets linked to OpenSea to a different address without canceling the previous listing. Users likely elected not to cancel the listing because the step required paying a transaction fee.
“Once moved to a new wallet, users likely set a new selling price which did not cancel the listing price on the OpenSea-linked wallet. The problem arose when users moved NFTs back to their OpenSea-linked wallets, activating the previous, lower listing price. Rogue actors were then able to snipe premium NFTs for a bargain price.”
Phishing attacks occur all over the web in many forms, and the crypto world is no exception. “In the past, crypto phishing attacks have tricked users into entering their wallet’s seed phrase, allowing for the hacker to access their wallet and steal the funds,” cryptobriefing.com explains. “In some instances, hackers have acquired permission to spend funds by luring users in with fake airdrops. The latest OpenSea incident was different as the hacker attempted multiple collectors at once. It shows that in addition to being cautious with seed phrases, users need to be careful with signing off-chain messages and interacting with suspicious contracts”.
OpenSea was quick to acknowledge the incident, which occurred over the weekend, and pointed out right away that their platform was secure — it was the traders who made a series of missteps that allowed the scam to occur.
“We’re actively working with users whose items were stolen to narrow down a set of common websites that they interacted with that might have been responsible for the malicious signatures. Huge thanks to the users that hopped on the phone with us directly,” tweeted Devin Fizner, co-founder and CEO, OpenSea.
The attack couldn’t have come at a worse time, as the crypto market was already experiencing a downslide fueled by economic forces and the threat of war in Europe.
“Bitcoin and cryptocurrency prices already teetering on the brink of collapse due to the escalating Ukraine situation plummeted more following news of a serious attack on non-fungible token (NFT) platform OpenSea,” Econotimes reported.
The OpenSea incident, the news outlet said, contributed to yet another crypto price crash that “has wiped almost $300 billion from the combined crypto market over the last few days.”
A down market is little consolation for those who lost hundreds of thousands of dollars as a result of the OpenSea scam. And while no investment in the fiat or crypto world is entirely without risk, one OpenSea NFT owner who was victim is not taking his loss lying down.
Timothy McKimmy of Texas has filed a one-million dollar lawsuit against OpenSea, stating his Board Ape Yacht Club #3475 was stolen because of the NFT websites’ “security vulnerabilities.” The scam resulted in his NFT, which was worth six figures at the time, being sold for pennies through an automated contract “listing bug.”
Board Ape Yacht Club is considered a prestigious NFT group, which includes members-only benefits that make it extremely attractive to investors.
“One of those benefits is the ability to converse with other Yacht Club members,” the lawsuit states. “Owners of Bored Ape NFTs include: current NBA stars Stephen Curry and LaMelo Ball; NBA Hall of Famer Shaquille O’Neal; soccer star Neymar; Dallas Mavericks’ owner Mark Cuban; tennis great Serena Williams; comedian Kevin Hart; music artists such as Justin Bieber, Future, Lil Baby, Post Malone, Steve Aoki, and Eminem; and numerous other individual investors.
“Despite having full knowledge of these security issues, Defendant did not properly inform its users and did not timely put adequate safety measures in place,” the lawsuit states. “Instead of shutting down its platform to address and rectify these security issues, Defendant continued to operate. Defendant risked the security of its users’ NFTs and digital vaults to continue collecting 2.5% of every transaction uninterrupted.”
“What happened to our client is not an isolated incident,” Ash Tadghighi, an attorney for McKimmy, said in a statement to Fortune. “Our client hopes this lawsuit will force OpenSea to address the depth of its security vulnerabilities, so this does not happen to anyone else. OpenSea needs to rectify the situation.”
This is the second time this year that OpenSea has been hit by a phishing scam. “In late January it reimbursed $1.8 million to users who, through a loophole, had their NFTs purchased at much lower valuations and then resold,” Fortune reports.
Like many NFT and cryptocurrency websites, OpenSea provide its users with tips on how to avoid getting scammed. So when the breach occurs, does caveat emptor or “let the buyer beware,” protect entities like OpenSea? In the new and growing crypto marketplace, the outcome of lawsuits like McKimmy’s could set a standard for what’s to come.
Joyce Pavia Hanson