Categories
Security

Thief steals $1 million of Bored Ape Yacht Club NFTs with Instagram hack

A hacker has stolen NFTs worth millions of dollars after compromising the official Instagram account for Bored Ape Yacht Club (BAYC) and using it to post a phishing link that transferred tokens out of users’ crypto wallets.

The hack was disclosed on Twitter by BAYC just before 10AM ET on Monday morning. “There is no mint going on today,” the Tweet read. “It looks like BAYC Instagram was hacked.”

Another tweet from a user unaffiliated with the project claimed to show the image that had been posted from the BAYC account, promoting an “airdrop” — essentially a free token giveaway — for any users who connected their MetaMask wallets.

Unfortunately, BAYC’s warning came too late for a number of holders of the extremely expensive Bored Ape NFTs, along with many other valuable NFTs stolen in the hack. A screenshot posted by one Twitter user showed an OpenSea page for the hacker’s account receiving more than a dozen NFTs from the Bored Ape, Mutant Ape, and Bored Ape Kennel Club projects — all presumably taken from users who connected their wallets after clicking on the phishing link.

The profile page tied to the hacker’s wallet address was no longer visible on OpenSea at time of publication. OpenSea head of communications Allie Mack confirmed to The Verge that the hacker’s account had been banned on the platform, as OpenSea’s terms of service prohibited fraudulently obtaining items or otherwise taking them without authorization.

But given the decentralized nature of NFT, the contents of the hacker’s wallet can still be viewed on other platforms. Seen through NFT platform Rarible, the wallet contained 134 NFTs, among them four Bored Apes and many others items from projects made by Yuga Labs — the creators of BAYC — such as Mutant Apes and Bored Ape Kennel Club.

Independently, each of the stolen Apes is worth well into six figures based on the most recent sale price. The lowest priced Ape, #7203, last sold four months ago for 47.9 ETH — equivalent to $138,000 at current exchange price. Ape #6778 was last sold for 88.88 ETH ($256,200), while Ape #6178 sold for 90 ETH or $259,400. And Bored Ape #6623 was the most valuable of all, sold three months ago for 123 ETH ($354,500) — meaning that collectively the total value of the four stolen Apes is just over $1 million.

It is not known yet how the hacker was able to compromise the project’s Instagram account. In a statement sent to The Verge by email and also posted on Twitter, Yuga Labs said that two-factor authentication was enabled at the time of the attack and that the security of the Instagram account followed best practices. Yuga Labs also said that the team was actively working to establish contact with affected users.

Though NFTs can be bought and sold for huge sums of money, they are often held in smartphone wallets rather than more secure environments because the popular decentralized crypto wallet application MetaMask only supports NFT display on mobile. It also encourages users to manage NFTs through the smartphone app rather than the browser-based extension. This means that the use of Instagram to deliver a phishing link is an effective way to steal NFTs, as the phishing link is more likely to be interacted with from a mobile wallet.

While security advice in the crypto space suggests NFT holders never connect their wallet to an unknown or untrusted third party, the fact that the phishing link was sent through the official BAYC social media account likely convinced the victims that it was legitimate, raising difficult questions about where exactly the fault lies.

Yuga Labs did not respond to an email from The Verge asking whether victims of the hack would be compensated by the project for their losses.



Repost: Original Source and Author Link

Categories
Security

OpenSea fixes vulnerabilities that could let hackers steal crypto with malicious NFTs

OpenSea has fixed vulnerabilities in its platform that could’ve let hackers steal someone’s crypto after sending them a maliciously crafted NFT. The issue was found by security firm Check Point Research, which noticed tweets from people claiming they were hacked after being gifted NFTs, according to a blog post. The researchers talked to one of the people saying they were attacked, and found vulnerabilities proving an attack could happen this way and reported the problems to OpenSea. The security firm says the NFT trading platform fixed the issue within an hour and worked with researchers to make sure the fix worked.

While the attackers potentially being able to drain entire wallets is certainly not a good look for OpenSea, it wasn’t a simple matter of just gifting someone an NFT — the exploit needed its target to click on a few prompts first, including one that might include transaction details. While being sent an NFT gift doesn’t require any interaction on your part, the malicious NFTs were harmless if they just sat unviewed in an OpenSea account.

The transfer confirmation message users may see while viewing an infected NFT.
Image: Check Point Research

The potentially dangerous situation occurs when viewing the image by itself (by, say, right-clicking on it and hitting “open in new tab”). For users with a crypto-wallet browser extension like MetaMask installed, it initiates a popup asking to connect storage.opensea.io to their wallet. If the target clicks yes, the attackers could snag the wallet’s information and trigger another popup asking to approve a transfer from the victim’s wallet to their own. If you’re not paying attention or didn’t realize what was going on and confirmed the transfer, you could wind up losing everything in your wallet.

OpenSea says in a statement that it hasn’t found any instances of someone actually carrying out that kind of attack — though it’s still unclear what happened to the people who say they were attacked. As far as I could find, there were only a few people talking about being hacked after receiving a gift NFT.

OpenSea says it’s working with third-party wallet providers to help people recognize malicious signature requests. Still, for the most part, standard internet safety rules apply — don’t click on things that seem out of the ordinary, and definitely don’t confirm any transaction requests unless you’re entirely sure it’s something you want to do.

While this particular attack required a lot of interaction (as well as at least some amount of inattention) from the target, it’s good to see Check Point’s confirmation that OpenSea has fixed it. It’s easy to imagine people new to NFTs potentially getting their wallets drained, and we’ve seen examples of bad actors and scammers in the crypto space. There are those who are willing to steal people’s Ethereum, pretend to be OpenSea support employees, or sell an almost certainly fake Banksy.

OpenSea also announced on Monday that it would hide gifted NFTs from an account’s page by default if they’re from unverified collections and add an option to suspend your account from buying or selling NFTs if you think your wallet has been compromised.

Repost: Original Source and Author Link

Categories
Game

Louis Vuitton is making a mobile game with embedded NFTs

The worlds of fashion and gaming are cozying up to one another. From Gucci selling digital items in Roblox to Vogue‘s virtual fashion spread starring Gigi Hadid, the two industries are increasingly overlapping to capture a young, tech-savvy audience. Now, Louis Vuitton is jumping on the bandwagon by releasing a mobile video game to celebrate its founder’s 200th birthday. Louis: The Game stars the fashion house’s mascot Vivienne, a wooden doll embellished with the company’s flower insignia, on a journey through the brand’s history, reports Austrian newspaper Kurier.

The iOS and Android game reportedly tasks players with exploring a colorful world by completing various quests — all pretty generic so far. Whether it turns out to be more than just an unashamed bit of promotional fluff remains to be seen. The game drops on August 4th. If LV goes all-out psychedelic like it did with its recent UFO-style speaker, then it could be worth a look.

According to WWD, the game will also feature “embedded NFTs.” Though, that hardly sounds promising. The one-of-a-kind digital collectibles have gone from multi-million dollar auctions to freebies designed to promote throwaway pop culture, like Warner Bros. recent Space Jam reboot.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.



Repost: Original Source and Author Link

Categories
Tech News

What are NFTs, and why are people paying millions of dollars for them?

A couple of days ago, the musician Grimes sold some animations she made with her brother Mac on a website called Nifty Gateway. Some were one-offs, while others were limited editions of a few hundred – and all were snapped up in about 20 minutes, with total takings of more than US$6 million.

Despite the steep price tag, anybody can watch or (with a simple right-click) save a copy of the videos, which show a cherub ascending over Mars, Earth, and imaginary landscapes. Rather than a copy of the files themselves, the eager buyers received a special kind of tradable certificate called a “non-fungible token” or NFT. But what they were really paying for was an aura of authenticity – and the ability to one day sell that aura of authenticity to somebody else.

NFTs are a cultural answer to creating technical scarcity on the internet, and they allow new types of digital goods. They are making inroads into the realms of high art, rock music, and even new mass-markets of virtual NBA trading cards. In the process, they are also making certain people rich.

How NFTs work

NFTs are digital certificates that authenticate a claim of ownership to an asset, and allow it to be transferred or sold. The certificates are secured with blockchain technology similar to what underpins Bitcoin and other cryptocurrencies.

A blockchain is a decentralized alternative to a central database. Blockchains usually store information in encrypted form across a peer-to-peer network, which makes them very difficult to hack or tamper with. This in turn makes them useful for keeping important records.

The key difference between NFTs and cryptocurrencies is that currencies allow fungible trade, which means anyone can create Bitcoins that can be exchanged for other Bitcoins. NFTs are by definition non-fungible, and are deployed as individual chains of ownership to track a specific asset. NFTs are designed to uniquely restrict and represent a unique claim on an asset.

And here’s where things get weird. Often, NFTs are used to claim “ownership” of a digital asset that is otherwise completely copiable, pastable, and shareable – such as a movie, JPEG, or other digital files.

So what is an authentic original digital copy?

Online, it’s hard to say what authenticity and ownership really mean. Internet culture and the internet itself have been driven by copying, pasting, and remixing to engender new forms of authentic creative work.

At a technical level, the internet is precisely a system for efficiently and openly taking a string of ones and zeroes from this computer and making them accessible on that computer, somewhere else. Content available online is typically what economists call “non-rivalrous goods,” which means that one person watching or sharing, or remixing a file doesn’t in any way impede other people from doing the same.