An OpenSea relisting bug has resulted in exploiters stealing at least $1.3 million worth of various NFTs. The attackers have begun to run the Ethereum that was made from the sales through Tornado Cash to prevent tracing.
Hackers have stolen at least $1.3 million in the form of NFTs after exploiting a bug on the NFT marketplace OpenSea. The bug allowed the hackers to purchase high-priced NFTs for small sums, which they then resold at much higher prices. The attack occurred on Jan 24, with at least eight high-value NFTs affected.
Initial analysis has identified that at least three hackers were involved, with one going by the name of ‘jpegdegenlove.’ The NFTs in question came from the Bored Ape Yacht Club, Mutant Ape Yacht Club, Cool Cats, and Cyberkongz NFT series. For example, the Bored Ape Yacht Club NFT #9991 was purchased for $1,800 and sold for $196,000.
After selling the NFTs, the attackers used Tornado Cash to prevent the ETH from being traced. Interestingly, the hacker jpegdegenlove sent ETH to two of the victims, compensating them, though not entirely.
Orbs Developer Rotem Yakir said on Twitter that the bug had to do with the fact that you could relist an NFT without canceling it (which can no longer be done), with the previous listings not canceling on-chain. Furthermore, he said that OpenSea was an ‘old product’ with,
“Slow, bad UX, with old smart contracts code which makes you pay much more gas than you should and not beneficial for traders.”
NFTs becoming lucrative targets
NFTs seem to have become one of the major targets of attackers in the crypto space. Multiple incidents have been reported recently. This is unsurprising, given how popular NFTs have become in the past year.
The most significant of these incidents is when a hacker had stolen Crypto Apes from OpenSea, which resulted in the latter freezing $2.2 million related to the theft. The decision to freeze the funds sparked criticism from the crypto community, who said that it was “anti-crypto.” Another Bored Ape NFT collector lost nearly $1 million to Discord scammers.
These attacks have been growing in number, with Nifty Gateway also having suffered hacks, and it does not look like it will subside anytime soon. NFT marketplaces will have to put more resources towards security, otherwise risk losing users.