Gridware Logo

Bugs in the OpenSea NFT Platform Allow Hackers to Steal Cryptocurrency Wallets

Share:

Details regarding a bug on the OpenSea platform that allowed hackers to hijack user accounts and steal the corresponding bitcoin wallets emerged recently. 

The attack method is as simple as producing an NFT with a malicious payload and waiting for a victim to take the bait and see it. 

Several users reported empty cryptocurrency wallets after receiving gifts on the OpenSea marketplace, a marketing strategy known as “airdropping” that is used to promote new virtual assets. 

Users are reporting empty wallets following the NFT airdrop. 

Check Point researchers were enticed by these accounts and decided to take a closer look at how the platform works and look for vulnerabilities. 

An OpenSea account requires the use of a third-party cryptocurrency wallet from a list supported by the site. One of the most popular is MetaMask, which was also chosen by the researchers. 

Anyone can sell digital art on the OpenSea platform, which accepts files up to 40MB in size and with any of the following extensions: JPG, PNG, GIF, SVG, MP4, WEBM, MP3, WAV, OGG, GLB, GLTF. 

Knowing this, Check Point submitted an SVG image containing malicious JavaScript code to the OpenSea system. When they clicked on it to open in a new tab, they saw that the file was running under the’storage.opensea.io’ subdomain. 

They also added an iFrame to the SVG picture in order to load HTML code that would inject the “window.ethereum” required to communicate with the victim’s Ethereum wallet. 

The wallet functionality is abused via the Ethereum RPC-API, which initiates connection with MetaMask and displays the prompt for connecting to the wallet. 

As these requests frequently appear as a system notice, customers were likely to authorise the transaction without reading the message. 

With an OpenSea platform transaction domain and behaviour that victims generally see with other NFT operations, it’s simple to understand how users could have been taken advantage of. 

Check Point researchers detailed the attack as follows: 

  1. A hacker builds and distributes a malicious NFT to a victim. 
  2. When the victim views the malicious NFT, a pop-up from OpenSea’s storage domain appears, demanding access to the victim’s bitcoin wallet.
  3. Victim clicks to connect their wallet and conduct the action on the gifted NFT, granting the victim access to their wallet.
  4. The money in the wallet can be obtained by triggering an extra pop-up, which is likewise sent from OpenSea’s storage domain.

 

On September 26, Check Point researchers notified OpenSea of their findings. The two parties worked together to solve the problem, and OpenSea had a solution in less than an hour after the responsible disclosure. 

According to OpenSea, they were unable to discover any incidents in which attackers exploited this vulnerability, but they will continue to raise awareness and educate the community on best security practises and how to spot frauds and phishing efforts. 

Picture of Ahmed Khanji
Ahmed Khanji

Ahmed Khanji is the CEO of Gridware, a leading cybersecurity consultancy based in Sydney, Australia. He is recognised for his insights into offensive security and emerging technologies such as blockchain, and often contributes to broader cybersecurity conversations across the country. With an extensive background as a security advisor to major Australian enterprises, Ahmed helps organisations navigate the evolving threat landscape with clarity and confidence.

Related Articles​

What Is a Managed Security Service Provider (MSSP)?

Managed Security vs In-House Security Team: Which Makes More Sense for Your Business?

How to Build a Cyber Incident Response Plan for Your Australian Business

Our services

We partner deeply with clients to understand their needs, working closely and iteratively to provide robust, best-in-class security solutions

Learn more about the team at forefront of the Australian Cyber Security scene.

Gridware team
Learn more about our renowned partners and awards.

Expert penetration testing

Incident investigation & remediation

Governance, Audits & Strategy

Simulate real attacks

Security-as-a-service

24x7x365 Security Operations Centre

Comprehensive & proactive security

Harness the benefits of cloud technology

End-to-end security suite

Swift, expert-led incident resolution

Resources

A collection of our published insights, whitepapers, customer success stories and more.

Resources

Customer success stories from real Gridware customers. Find out how we have helped others stay on top of their Cyber Security.

RSPCA logo
Nikon logo

Download our Cyber Governance Factsheet

Network Penetration Testing

Get a quote

Please fill out the form so we accurately can quote your project:

Emergency Assistance

Under Attack?

Please fill out the form and we will respond ASAP. Alternatively, click the button to call us now.

Download our Incident Response Factsheet