March 22, 2022

Phishing for NFT Protection?

Nate Nelson finds cold comfort in phishing’s long history along with core lessons to keep your wallet safe
Credit: Midjourney, Phishing Attack One, 2022. Courtesy of the artist
Now Reading:  
Phishing for NFT Protection?

What would it take for you to quit crypto, NFTs, and blockchain entirely?

How much money would you need to lose before you got up from your computer and developed a new hobby? How about $2.2 million?

People are Losing Their NFTs

On December 30, 2021, Todd Kramer — a New York-based art dealer — had “arguably the worst night of my life.”

Without knowing it, he’d signed a fake contract purporting to come from a legitimate NFT dApp. The contract offered a hacker open access to his OpenSea wallet, and the hacker promptly sucked it for all it was worth. The collection comprised 16 NFTs: Eight Bored Apes, seven Mutant Apes, and a CloneX NFT — whose total valuation at the time was estimated at $2.2 million (593 ETH).

Unabridged digital ownership — the fundamental tenet of non-fungible tokens — is an attractive idea. And it’s dangerous. With unquestionable and unbreakable possession over your digital assets, you have the power to do whatever you want, without anyone else standing in your way. You also have the power to screw up massively, without anyone else to save you. So it was for Todd Kramer. 

So it was two months later when, in the span of a few hours, 17 other investors signed over hundreds of their NFTs to cybercriminals.

When I covered the OpenSea phishing attack in February, I came across a number of different perspectives from the NFT community. Some blamed the victims. Some blamed the platform’s cybersecurity. Some simply basked in schadenfreude. But one side to the story was simply ignored.

Because February’s OpenSea heist was also a proof of concept, and a demonstration of just how cuttingly effective phishing is — and will continue to be — in stealing NFTs and cryptocurrency for years to come. Because the very nature of these assets make them incredibly vulnerable. Not even cybercriminals could have imagined an easier target. So it’s likely that the worst NFT phishing stories are still to be written.

If you don’t want to be the subject of such a news story, you’ll need to understand how phishing works, and how to protect yourself.

Midjourney, Phishing Attack One, 2022. Courtesy of the artist

How Phishing Works

The first ever phishing campaign against a financial system took place many years ago, against a different kind of “digital gold.”

An unlikely inventor had crafted this digital gold — a payment network where anyone could anonymously invest, store, and transact coins with anyone they chose. All of it occurred outside of the typical fiat system, on an immutable online ledger.

This was, of course, e-gold.

E-gold was invented by a middling oncologist, run by a bank — Gold & Silver Reserve Inc. (G&SR) — and pseudonymous. And yet, it reached crypto levels of exponential growth. In the year 2000, for example, digital gold’s trading volume rose from 1,250 per month (about $350,000 in value) to over 450,000 (approximately $125 million). By 2006, it was worth $2 billion. By 2004, there were a million e-gold account holders. Five years on, there were five million.

The most enthusiastic adopters were criminals. Scammers ran rampant in e-gold-based auctions — lying, shilling, posting fake reviews — and created phony “escrow” services that disappeared as soon as you’d handed over your money. The most common approach, starting in June 2001, involved blasting emails to investors that claimed to come from e-gold.com. These emails all shared the same core characteristics:

  1. Brand impersonation: The attackers spoofed @e-gold.com email addresses, impersonating company members.
  2. Social engineering: The emails would prey on fear or greed to prompt recipients to act now. According to an e-gold security bulletin, the emails included messages like “your account has a value limit, you have received fraudulent funds, your account will be closed for inactivity,” or else that “e-gold is paying monthly interest payments.”
  3. A trap: The emails included links directing users to landing pages “designed to ensnare the careless by mimicking the appearance of the real e-gold website.” The fake website asked users to input their login credentials — nothing unusual there, except where the credentials ended up. “Once the criminal has gained this information, he has everything he needs to log in to the victim’s e-gold account on the real e-gold website and divert the value.”

Phishing is effective in all kinds of settings, from corporate IT to personal banking, but there were certain characteristics of e-gold that made it uniquely vulnerable:

  • Anonymity. Transactions weren’t tied to account holders’ real identities, thus a payment from a hacked account would look like any other.
  • Irreversibility. Once e-gold payments had been processed, they couldn’t be undone. There was therefore a limited window in which to reverse fraudulent transactions.
  • Lack of oversight. Due to weak policing, e-gold was used for every kind of illicit purpose imaginable. As one government prosecutor put it at the time, the digital currency world “is a bit of a wild west right now. People are looking for what are the rules and what are the consequences.”
  • Popularity. Because it was growing so fast, a lot of unsavvy investors bought e-gold. Enthusiastic novices make easy targets.

E-gold died in 2009, the same year that another, even more popular form of digital gold, was invented. But our newer blockchain-based assets, Bitcoin included, share all the same characteristics that made e-gold vulnerable to phishing attacks. In fact, crypto and NFTs are even more anonymous and irreversible, not to mention unregulated, and consequently even more at risk.

Midjourney, Phishing Attack Two, 2022. Courtesy of the artist

How Phishing Works on the Blockchain

It was a Saturday evening in February when NFT owners started to panic.

Gradually, a few OpenSea users noticed items disappearing from their wallets without apparent explanation. Theories abounded. Maybe it had something to do with the recent token airdrop from a knockoff marketplace called X2Y2. Or maybe OpenSea had been hacked. Even users who hadn’t lost anything yet started to worry that their wallets were next.

Nobody knew what had happened because, when you realize you’ve been phished, it’s already too late. The attack, it turned out, wasn’t so sophisticated after all — mostly rehashing the same old tricks we’ve been seeing for decades:

  1. Brand impersonation: The attacker didn’t only pretend to be OpenSea, they actually copy-pasted an OpenSea email blast.
  2. Social engineering: The attacker timed their emails to coincide with an actual smart contract migration. OpenSea required all their users to migrate in order to keep using the service. It was therefore no ordinary email notification — it was plausible, and there was urgency to it.
  3. A trap: Those who clicked on the malicious email link were directed to a website with a nearly immaculate copy of an ordinary transaction window. It looked like a smart contract migration, but the “Sign” button in fact triggered an “atomicmatch_” request to the hackers’ wallet. “This kind of request,” wrote researchers from Check Point Software, “is capable of stealing all victim NFTs in one transaction.”

What’s most remarkable, in retrospect, is the low-grade nature of the campaign: A copy-pasted email and a (mostly) copy-pasted landing page — all designed by a single hacker. The reason it worked so well is because the blockchain leaves users to fend for themselves:

  • Anonymity. Long alphanumeric wallet addresses make it easy to send assets to the wrong place.
  • Irreversibility. On Ethereum — on which OpenSea operates — finalized transactions cannot be reversed, in order to prevent double spending.
  • Lack of oversight. Traditional financial institutions provide extensive custodial services. By contrast, the very ethos of blockchain since its inception has been anti-middlemen. Users encourage companies to minimize involvement in the platforms they’ve built.
  • Popularity. NFTs have skyrocketed in popularity since early 2021. But not everybody who’s jumped on the bandwagon is tech savvy enough to navigate the ecosystem safely. “General usability continues to be a challenge and can contribute to confusion,” Matt Bailey, VP of Engineering at ClubNFT, told me last month. “Understanding what it is you are signing digitally as a user is not always obvious.”

17 investors ended up clicking on “Sign.” In total, they lost 254 tokens worth millions of dollars.

Midjourney, Ape Phishing, 2022. Courtesy of the artist

How to Protect Yourself

Whenever a major, newsworthy phishing campaign occurs, you’ll hear the same advice.

You’ll hear a lot about cybersecurity best practice. For example, “pay extra attention to where and when you sign a transaction,” Check Point wrote in their blog, adding “we don’t recommend clicking on links from emails no matter who is the sender, always try to find the same information on the website provider.”

You’ll also hear a lot about education. “When individuals get more educated, it prevents the likelihood of phishing attacks taking place,” Jake Fraser of Mogul Productions told me last month. “It is crucial that they know how to identify the red flags when a phishing attack is taking place.”

You’ll hear a lot about awareness. Like from the CTO of GameFi company Bluzelle who, in an interview with Cointelegraph, could only offer platitudes. “Users need to be super aware of the risks of responding to and acting upon emails they receive,” he said. “Emails can be faked very easily, and users need to be proactive about the safety of their crypto assets.”

Basic cybersecurity, education, and awareness are all good principles, but they don’t stick. The average person receives well over a hundred emails every day. How can you be “aware” for every single one of them, every day, for the rest of your life? How many of us are going to spot a small discrepancy in an otherwise perfectly copied email, especially when we’re tired or multitasking or listening to music?

Ultimately there’s only one reliable way to protect your NFTs against cyberattackers. It’s something Todd Kramer learned the hard way.

Luckily — and controversially — OpenSea was able to pause the sale of some of his assets before they were sold off. But after a still-seven-figure loss, he got the message. Five hours into the worst night of his life, he tweeted:

Update.. All Apes are frozen,,. Waiting for opensea team to get in,,,lessons learned. Use a hard wallet…

A hardware wallet — offline storage — won’t outright prevent you falling victim to a cyberattacker, but it might mitigate the impact if you do. The extra steps involved in transferring a token to your offline wallet will give your brain extra time to scrutinize any discrepancies in an email or landing page. More importantly, hackers can’t move laterally within an offline wallet. That is to say, they can’t use one entry point — one software vulnerability, one login, one stolen NFT — to get to everything you’ve got (unless that one entry point is your private key).

If Todd Kramer had stored his NFTs on a physical device, his hacker would’ve needed access to that device in order to sell off its contents. If the victims of February’s OpenSea attack used offline storage, there simply would’ve been no NFTs to steal from their accounts. And, while we’re at it, cold storage could’ve saved Waka Flocka Flame 19,000 dollars.

In the months and years to come there will be more stories of NFT phishing. Blockchain-based assets are just too juicy for cyberattackers to pass up. But will that deter collectors? Kramer is still an active member of the community even after his seven-figure loss. How much would it take for you to give up this hobby?

Hopefully, with the knowledge you have now, you’ll never have to reckon with that question.

🎴🎴🎴

Nate Nelson is a freelance writer for some of the world’s leading technology companies, dev teams and crypto YouTubers. He writes and produces “Malicious Life,” a Top Tech podcast on Apple and Spotify, and co-hosts “The Industrial Security Podcast,” the leading show in its field. You can find his work on Forbes, Medium, and publications around the web.