Losing an NFT is more than just losing a screenshot– it could be millions or multiple millions of losses.
With a higher number of individual wallets suddenly becoming worth millions due to price increases, the rise of NFT theft is inevitable.
A quick refresher: as unique digital assets that live on a blockchain, NFTs represent anything from game assets or characters, songs, articles, digital art, and even tweets. The tokens themselves are valuable because they are unique and cannot be faked since they are blockchain assets– and markets respond accordingly to the provable scarcity. The actual trade value of an NFT depends on how well-known its creators are, its previous purchase value, ownership history.
Now that we know what NFTs are and why they are valuable let's talk about some times NFTs were stolen by hackers and how.
OpenSea's User Side Hacks
OpenSea is one of the world's largest NFT marketplaces. So when, in February 2022, several OpenSea users reported that their accounts had been compromised, it spread like wildfire.
First, it was thought that the hack had led to NFT thefts worth about $200 million.
Then, a Twitter thread posted by blockchain security analysis firm PeckShield was retweeted by the CEO of OpenSea. The thread shared a technical analysis of the hack, revealing that only about $1.7M worth of NFTs had been stolen, and that there were 17 users affected.
Whereas readers had initially believed that OpenSea itself was compromised, it came out that the hack occurred through a phishing attack.
While it looks like only 17 users were affected by the attack, others are concerned that they may have been compromised as well, although these complaints have yet to be addressed by OpenSea.
Even more, OpenSea faces legal action by one of the victims who lost a Bored Ape NFT worth millions.
Besides the legal suit and the phishing attack, Fortune reports that OpenSea paid about $1.8 million to some of its users after a bug on its website allowed bad actors to purchase NFTs for less than what they were worth.
The MetaMask Hack
Metamask is a secure wallet app and web browser known for storing Ethereum tokens and NFTs.
In December 2021, a phishing attack impersonating Metamask Support invited users to seek help by filling out a Google Docs form. The form requested the user's secret recovery phrase. A secret recovery phrase would allow a malicious actor to respawn a user's wallet and steal its content.
Seeing as Metamask is an ETH wallet, this would majorly affect a user's NFTs.
Fortunately, the attack was discovered early and the phishing bot was flagged by Metamask.
Sleepminting: The Beeple NFT Theft
Beeple's Everydays – The First 5000 Days is one of the most valuable NFTs in existence. Sold for a whopping $69M, this NFT rocked the blockchain universe.
So when it was hacked by someone called "Mr. Nobody," (aka Monsieur Personne), it was pretty alarming.
Sleepminting, first introduced by Personne, is a process that allows a hacker to “mint” an NFT under the name of someone without their knowledge or consent.
In April 2021, Personne, a self-acclaimed “white-hat” hacker, went on a mission to show the world how vulnerable the technology of NFTs are by attacking the most well-known NFT transaction. Personne sleepminted a second copy of Beeple’s Everydays – The First 5000 Days in Beeple’s name and then gifted the original, unapproved copy to someone named Arsene Lupin.
Lupin listed the NFT on Rarible and OpenSea, starting at a 0.01WETH, a despicable price compared to its value. Rarible and OpenSea eventually canceled the listing.
When contacted, Personne wrote, “The goal I want to achieve with this is to take the most expensive and historic NFT and show that if it is not protected, how can we guarantee that any NFT is safe from intentional malice, fraud, forgeries, theft, etc.?”
Final Thoughts: NFT Theft
NFTs have the potential to revolutionize hundreds of industries all over the world. As the technology advances, we’ll, unfortunately, most likely see some more thefts, and accompanying security improvements.
As an NFT owner, keeping your assets secure is vital.
- Use secure wallets to protect your addresses from attack
- Never give out your seed phrase
- Only use complex passwords that include phrases, numbers, and symbols
- Store all your passwords and phrases in physical form, locked away safely (not on your computer)
Don’t make it easy!