NFT Theft Analysis
In this article I’d like to provide some data regarding the recent NFT thefts. The original data is provided by Decrypt. Analysis is provided by Callisto Security Department.
On July 17 2022 the hackers compromised the Premint website and caused a malicious pop-up to be displayed to Premint users. The message in the pop-up tricked users into sending funds to the hackers address masquerading it as a “security measure”.
As the result 320 NFTs were stolen. At the moment of writing hackers sold 302 NFTs and kept another 18.
Backend security model of the Premint platform.
- Human factor / internal privileges exploitation. Premint team member with sufficient privileges could deploy the malicious code intentionally.
- Backend security model flaws.
- Error on service provider side. Human factor exploit or security model flaw could happen on the side of service provider that Premint was using.
- Users could avoid losing their funds in this hack by simply not providing their sensitive data to the malicious pop-up. If something looks like a service is acting as if it wanted to steal your funds — it may be true.
On February 19 2022 a number of addresses transferred their ETH and NFTs to this address (labeled as phishing by Etherscan now). According to their feedbacks this was unintentional.
It is assumed that someone created a phishing copy of the OpenSea marketplace service that tricked users into sending Ether and NFTs to the hackers address.
We don’t know where this happened exactly.
This is a mistake on the user’s side. Someone created and promoted a version of the web page that was then used by confused NFT owners. This could not be prevented by the OpenSea team.
- Users could avoid losing their funds by paying more attention to (1) what services they use and (2) what these services are going to do with their funds.
- Transaction should include a description of what actions it is intended to trigger and users must be allowed to verify the exact destination of the transaction.
On April 25 2022 a hacker compromised the official Bored Ape Yacht Club Instagram account and shared a malicious link to the web page. The web page promised users to airdrop virtual land in the upcoming metaverse but requested them to sign a transfer of their funds instead.
As the result 91 NFT evaluated at roughly $2,800,000 were drained from users.
Social media management security model.
- Human factor / internal privileges exploitation. Any person in charge of the official Instagram account could intentionally share a malicious link.
- Human failure. A person in charge of official Instagram account could unintentionally compromise the account.
- Failure on Instagram side. Human-factor errors also apply to the Instagram platform as well.
- As always, users could avoid being scammed by not following the announcement and not giving their NFTs to the hackers.
- Transaction info should have been verified prior to signing.
Actor and producer Seth Green purchased ‘Bored Ape Yacht Club #8398’ NFT which granted him the rights to use a cartoonish character displayed on this NFT. He called this character Fred Simian.
Unfortunately Fred NFT was stolen from Seth Green and thus the actor lost his intellectual property rights. The NFT was bought by the collector (DarkWing84) from the hacker. In order to reclaim the rights to use Fred Seth Green purchased the NFT again for $300,000.
- This is a mistake on the user’s side.
- Ethereum account management mistake — Seth Green should have separated his “hot wallet” that was used to pay for interactions and “storage wallet” that actually held his most valuable assets.
- It is evident that in most cases NFT hacks do not involve any exploits in the NFT smart-contracts — unlike ERC20 that could potentially harm users on their own ERC721 standard is a step forwards security-wise.
- In most cases security issues appear on the side of third party services or user interfaces.
- It is incredibly important to understand that nothing is perfectly secure. Official accounts are prone to hacks. Teams of people are prone to bribery, corruption and greed. Secure applications must be designed with this in mind and communities of must be informed that every interaction must be verified.
- The main target for the attackers is third party service providers / infrastructure applications.