Season 3 / Episode 206
Physical artworks in museums are usually well-guarded - but digital artworks are something else entirely: in 2021 alone, scammers successfully stole 100 million dollars worth of non-fungible tokens, or NFTs. Yet blockchain technology, where most NFTs live - is one of the most secure technologies in history. Why, then, are NFT collectors keep getting hacked?
- Episode 22
- Episode 23
- Episode 24
- Episode 25
- Episode 26
- Episode 27
- Episode 28
- Episode 29
- Episode 30
- Episode 31
- Episode 32
- Episode 33
- Episode 34
- Episode 35
- Episode 36
- Episode 37
- Episode 38
- Episode 40
- Episode 42
- Episode 43
- Episode 44
- Episode 45
- Episode 46
- Episode 47
- Episode 48
- Episode 49
- Episode 50
- Episode 51
- Episode 52
- Episode 53
- Episode 54
- Episode 55
- Episode 56
- Episode 57
- Episode 58
- Episode 59
- Episode 60
- Episode 62
- Episode 63
- Episode 64
- Episode 65
- Episode 66
- Episode 67
- Episode 68
- Episode 70
- Episode 71
- Episode 72
- Episode 73
- Episode 74
- Episode 75
- Episode 77
- Episode 78
- Episode 79
- Episode 80
- Episode 81
- Episode 82
- Episode 83
- Episode 84
- Episode 85
- Episode 86
- Episode 87
- Episode 88
- Episode 89
- Episode 90
- Episode 91
- Episode 92
- Episode 93
- Episode 94
- Episode 95
- Episode 96
- Episode 97
- Episode 98
- Episode 99
- Episode 100
- Episode 101
- Episode 102
- Episode 103
- Episode 104
- Episode 105
- Episode 106
- Episode 107
- Episode 108
- Episode 109
- Episode 110
- Episode 111
- Episode 112
- Episode 113
- Episode 114
- Episode 115
- Episode 116
- Episode 117
- Episode 118
- Episode 119
- Episode 120
- Episode 121
- Episode 122
- Episode 123
- Episode 124
- Episode 125
- Episode 126
- Episode 127
- Episode 128
- Episode 129
- Episode 130
- Episode 131
- Episode 132
- Episode 133
- Episode 134
- Episode 135
- Episode 136
- Episode 137
- Episode 138
- Episode 139
- Episode 140
- Episode 141
- Episode 142
- Episode 143
- Episode 144
- Episode 145
- Episode 146
- Episode 147
- Episode 148
- Episode 149
- Episode 150
- Episode 151
- Episode 152
- Episode 153
- Episode 154
- Episode 155
- Episode 156
- Episode 157
- Episode 158
- Episode 159
- Episode 160
- Episode 161
- Episode 162
- Episode 163
- Episode 164
- Episode 165
- Episode 166
- Episode 167
- Episode 168
- Episode 169
- Episode 170
- Episode 171
- Episode 172
- Episode 173
- Episode 174
- Episode 175
- Episode 176
- Episode 177
- Episode 178
- Episode 179
- Episode 180
- Episode 181
- Episode 182
- Episode 183
- Episode 184
- Episode 185
- Episode 186
- Episode 187
- Episode 188
- Episode 189
- Episode 190
- Episode 191
- Episode 192
- Episode 193
- Episode 194
- Episode 195
- Episode 196
- Episode 197
- Episode 198
- Episode 199
- Episode 200
- Episode 201
- Episode 202
- Episode 203
- Episode 204
- Episode 205
- Episode 206
- Episode 207
- Episode 208
- Episode 209
- Episode 210
- Episode 211
- Episode 212
- Episode 213
- Episode 214
- Episode 215
- Episode 216
- Episode 217
- Episode 218
- Episode 219
- Episode 220
- Episode 221
- Episode 222
- Episode 223
- Episode 224
- Episode 225
- Episode 226
- Episode 227
- Episode 228
- Episode 229
- Episode 230
- Episode 231
- Episode 232
- Episode 233
- Episode 234
- Episode 235
- Episode 236
- Episode 237
- Episode 238
- Episode 239
- Episode 240
- Episode 241
- Episode 242
- Episode 243
- Episode 244
- Episode 245
- Episode 246
- Episode 247
- Episode 248
- Episode 249
- Episode 250
- Episode 251
- Episode 252
- Episode 253
- Episode 254
- Episode 255
- Episode 256
- Episode 257
Hosted By
Ran Levi
Co-Founder @ PI Media
Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 15 million downloads as of July 2022.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.
Special Guest
Oded Vanunu
Head of Products Vulnerability Research at Check Point Software Technologies, Ltd.
More than 15 years of Cyber Security experience. A Security Leader & Offensive Security expert.
Leading products & technologies security research from a design level to post release.
Expertise: leading Security Research Teams, Vulnerability Research & Security architecture.
The (Other) Problem with NFTs
Security of Famous Art
What are the most valuable things you could own? Precious jewels? One-of-a-kind sports cars or memorabilia?
How about artworks?
Rare and popular art is worth far, far more than its weight in gold or paper money. The most expensive sale of a painting — da Vinci’s Salvator Mundi — was for 450 million dollars, five years ago. And Salvator Mundi isn’t da Vinci’s most famous, or even his second most famous piece. You could only guess how much the Mona Lisa would go for.
Because art is so expensive, some museums employ serious security protocols to keep them protected. As much as in the Hollywood movies, if not more.
Of course there are guards in every room, doors and windows are always fitted with alarms, and motion sensors paint invisible laser patterns across gallery rooms. But motion is just one kind of way to sense malicious behavior — a 2000 New York Times article highlighted museums with, quote, “infrared sensors that monitor a room’s temperature and can see the shapes of warm bodies moving through it; ultrasonic sensors that trigger an alarm if their sound waves strike a foreign object; microwave sensors that work on the same principle but can be hidden within walls.” End quote. Acoustic sensors attached to display cases can pick up when glass is being cut. Sensors — like LoJacks, devices originally designed for tracing stolen vehicles — can be placed onto artworks themselves, if they’re not too delicate. Otherwise, cameras can be trained on specific works 24/7, raising an alarm if the image in the frame moves even one bit. That’s in addition to the dozens or hundreds of other CCTV cameras stationed around any museum, all under watch from a control center.
These measures prevent thieves from stealing art. And for special insider threats, quote: “museums now check employees’ backgrounds more carefully; issue card keys to restrict access in their buildings; spend more on guarding storage rooms, which hold the bulk of most collections; enforce stricter rules for signing objects in and out; and teach guards to watch their fellow employees as closely as they watch strangers.” End quote.
There are likely more security measures that we don’t know of publicly, because museums wouldn’t want to reveal all of their cards. By the end, the many security layers we know of, plus those we don’t, stack on top of one another to create a nearly impossible task for prospective thieves. And sure, occasionally some museum somewhere is penetrated due to some kind of oversight. But let’s be real: It’s highly unlikely that someone will be able to successfully steal Starry Night, or Michelangelo’s David. Not these days.
The Irony of NFT Security
Now compare those impressive, labyrinthine, near-Herculean safeguards we place on physical artworks to how we handle digital artworks.
This past summer, a blockchain analysis company called Elliptic published an “NFTs and Financial Crime report.” Among the findings: in one year — from July 2021 to July 2022 — scammers successfully stole 100 million dollars worth of non-fungible tokens, or NFTs. On average, 300,000 dollars in value, per successful attack.
The more you look into the data, the worse it gets. The period in question included a severe bear market, where the value of NFTs dropped drastically. And yet scams rose in frequency every single month — in the final month of the study, there were over four and a half thousand of them. And, of course, the researchers could track only publicly reported cases. We can’t say how many more attacks there were — how many millions more were stolen — and simply not reported, for one reason or another.
It’s become pretty easy to steal people’s NFTs. Really, to steal anything on the blockchain. According to blockchain research firm Chainalysis, billions of dollars in cryptocurrency are stolen every year — over 2 billion in 2021 alone, and over 3 in 2022. But it’s not because the technology is insecure. Consider this:
There isn’t one major corporation, one government or military that hasn’t been in some way hacked since the year 2009.
In the same period of time, the Bitcoin network has been compromised not once.
You could argue that blockchain is actually the single most secure information technology in the world today. Not every blockchain is built equally, but Bitcoin, and also Ethereum — where most NFTs live — are damn near impenetrable, for reasons we’ve explained in previous episodes of Malicious Life.
It may seem like a contradiction, that blockchains are so secure and yet the people who use them keep getting hacked. But there’s a reason why.
#1 Case of the Disappearing NFT
On December 28th, 2021, at 1:07 in the morning, the rapper Waka Flocka Flame — known best for “No Hands,” “Hard in the Paint,” and other bangers — posted a video to his Twitter account. It was an iPhone recording of his laptop screen, which displayed his digital wallet on OpenSea, the world’s leading NFT marketplace. We watch him scroll past a few different NFT artworks in his collection…
Try to look past the weirdness of it all, and really examine what he’s saying. The fake NFTs “popped up” in his wallet. All he did was click on them, and “they” stole 19 grand worth of his property. How?
“[Oded] My name is Oded Vanunu and I am the Head of Products Vulnerability Research at Check Point”
Oded Vanunu is a regular on a sister podcast of Malicious Life — about cutting-edge cybersecurity research projects — called CPRadio.
“[Oded] Recently I just finished writing a book with two of my colleagues and the book is all about blockchain hacking.”
This Fall, Oded and his colleagues came across a number of OpenSea users having their own Waka Flocka moments.
“[Oded] I remember it was like the weekend and we started to see tweets of users saying hey, we were just like receiving NFT gifts or NFT links on the OpenSea network and we lost all our assets. Like our balance was withdrawn and we don’t understand what happened.”
As just one example, there was an artist — Jeff Nicholas — who tweeted on August 24th, quote, “ .” End quote. For context, each ETH (Ethereum) token at the time cost just under 2,000 dollars. So that’s 10,000, plus Bored Apes and Crypto Kitties, which were probably worth a whole lot more.
A Twitter user named Andrew expressed sympathy. “Dude, feel so bad for you. no words,” he wrote.
Jeff replied, summing up his feelings. “It’s fucked.”
#1 CPR’s Malicious NFT Proof
“[Oded] So we started to discuss and started to say, OK, we need to investigate this scenario.”
All that was known, to this point, was that a hacker or hackers were sending NFT airdrops to users on OpenSea. Airdrops are like gifts developers will send to thousands of users, to promote their projects. Like, “Here’s a free NFT for your wallet, now you know about us.” They’re very common.
“[Oded] So we started to see what is the onboarding process of creating NFT.”
The first, most basic step in uploading an NFT to the OpenSea marketplace is choosing a file format: JPEG, PNG, GIF, and so on. Then there are some more niche formats, like Scalable Vector Graphics, or SVG.
“[Oded] SVG is like a JavaScript file type, meaning that I can take an image. However if you look at the code, it’s based on JavaScript.”
An SVG file might come packaged as an image but, unlike JPEGs and GIFs, the code underneath is capable of doing things.
“[Oded] We said, “OK, let’s try to reconstruct some kind of SVG file.” Put like an image and then let’s add some kind of JavaScript code and see if it can echo back or we can see that it’s executing our code.
Then after a few reviews and testing, we saw that it’s indeed executing our code. [. . .] it was very surprising because we thought that if I have some kind of code that I’m putting in some kind of image file, they will have protection that will block any kind of code execution.”
Oded and his team could’ve programmed his SVG NFT to do anything they wanted to an OpenSea user.
“[Oded] Then we said, OK, if it’s executing the code, we can start to communicate with the API of the user wallet, meaning that I can weaponize an SVG image that everyone that will press on it, will like it, it will execute code in the context of the user that got it.”
They wrote a simple program: if a user accepted their malicious NFT, they obtained access to the user’s OpenSea wallet.
So Waka Flocka opens his OpenSea account and sees a notification for a free airdrop, something very common in the NFT world. He clicks “Accept,” and that’s it. In moments, everything’s gone. With just one click.
Layer 2 vs. Layer 1
There’s a fact of this story that’s easy to gloss over, amid all the details — that at no point, anywhere, was there a vulnerability in the blockchain. Heck, unless you knew before listening, you couldn’t even tell me what blockchain we’re talking about here.
OpenSea is not a blockchain, it is a platform that operates on top of the Ethereum blockchain. We call this a smart contract.
“[Oded] Smart contracts are basically applications.”
Like the programs you run on your laptop or phone, but on the blockchain.
“[Oded] Today, if I want to create application that will work on blockchain network, I need to create a smart contract [. . .]
There are vulnerabilities that are not by intention, vulnerabilities and misconfiguration on smart contract. It’s like creating an application on the internet that we have and we found some kind of vulnerabilities in the frontend. By exploiting the vulnerability and the application, it gives us access to the database.”
OpenSea users didn’t lose their NFTs because of a flaw in the blockchain — the database — they lost them because of a flaw in an application, written by developers. And anything written by developers is bound to have some bugs in it somewhere.
“[Oded] We managed to create this kind of attack and immediately we contacted OpenSea and said, “OK, guys. The attack from the morning or the attack from the weekend, this is how it happened. You must fix, you must create some kind of sandbox or you must remove all the file types that can contain code inside of it. This is what they actually did.”
Not every blockchain attack is the fault of the developers, though.
#2 Contract Migration Phishing
Consider when, mere months before the malicious NFT aidrops, OpenSea users faced nearly the exact same situation. It was February 19th when “Panic erupted,” wrote one blogger, “as a few users saw their wallets emptied of valuable NFTs without knowing why, and many others feared the same could happen to them.” Some guessed it had to do with a malicious airdrop, but that wasn’t it.
To understand, you need to know what really makes smart contracts unique: that, unlike regular software programs, they can never be changed. (Nothing on the blockchain can be changed.) So, if you want to update the software — at least, the part that lives on the chain — you have to create an entirely new version.
“[Oded] OpenSea created a new smart contract and all users will be – all users were required to migrate their listing on Ethereum to the new smart contract.”
To continue using OpenSea, users had to transfer their NFT wallets from the old OpenSea to the new one. It was as easy as it sounds — follow a link, click a button, you’re done.
But a clever hacker came up with an idea.
“[Oded] They were taking advantage of the upgrade process and decided to scam NFT users by using the same mail format that was coming from OpenSea.”
Almost too easy. A hacker copy-pasted the email OpenSea sent its users, alerting them to the contract migration. They re-sent it from a lookalike domain, and replaced the legitimate link with a malicious one.
“[Oded] So the victim is like getting a link for moving to the new application of OpenSea and once the user clicked on it, it’s linking to a phishing website that looks exactly the same as OpenSea to sign a transaction.”
Users thought that the transaction they were signing would migrate their wallet. Instead, behind the scenes, they triggered an “atomicmatch_” function on the Ethereum blockchain. Basically…
“[Oded] By signing the transaction, the user or the victim actually said, “OK, I am giving you ownership of my OpenSea assets.””
Once again, nothing untoward has happened on the blockchain — merely a transfer, just like any other, from one user to another. Even from the platform’s point-of-view, there’s no actual error.
Only 17 people fell for the trick. But the combined 250 or so NFTs that they lost were valued, at the time, around 1.7 million dollars.
The Deadly Combination
According to data from nonfungible.com and the research firm L’Atelier, NFTs traded for 82 million dollars in 2020. In 2021 they traded for 17.6 billion — a 21,000% year-over-year increase.
NFTs were in the news, and on Saturday Night Live. Your parents heard about them — these shiny, flashy things regular people were using to get rich quick. And if the same artworks that were worthless a few years ago sell for thousands or millions of dollars apiece, surely you should get some for yourself, right? Influencers on social media propagated this narrative to grow their followings, and YouTubers posted videos with their shocked faces in the thumbnails, with titles like “Making $1.5M In 17 minutes selling NFTs” or “BEST POTENTIAL For 10x Gains! (You DON’T Wanna Miss This NFT Project).”
And so all kinds of people ran to take part in this digital-era gold rush. Some knew what they were doing; many did not. Is it any wonder that bright-eyed, amateur investors made for such easy targets?
And then there were the engineers, who migrated to this new and exciting field. Plenty of them were smart, but the blockchain has its own logic, limitations and languages. Isn’t it inevitable that platforms created by devs with only two or three years’ experience in the field would have bugs in them?
“[Oded] So currently cybercrime is identifying that the entire blockchain ecosystem has a lot of gap in cybersecurity defense. [. . .]
currently all the Web 3 main platforms are still not ready to deal with this amount of traffic that they are dealing. So it means that they need to spend a lot on security and on like monitoring the entire networks. That takes time.”
Wherever there are millions of dollars, hackers will be trying to get in. Wherever there are gullible people, hackers will smell blood. Until cryptocurrencies and NFTs become a lot less profitable, or the people who use them become a lot more experienced, blockchain will continue to be the most attractive place for cyber attackers to pick up a quick buck.
#3 Axie Infinity
There may be no better demonstration of this — of the risks in NFT security, and just how dangerous it is to be in this industry right now — than what happened to one video game studio last March.
Maybe you’ve heard of Call of Duty, Fortnite, and Candy Crush, but what about Axie Infinity? If you’re unfamiliar, think Pokemon, if the Pokemon were NFTs, and you’ve got the idea. At its peak, this game reached 2.7 million daily users — not total, daily — mostly concentrated in Southeast Asia, particularly the Philippines. Weekly transaction volume for its in-game NFTs surpassed 200 million U.S. dollars.
Early last year, some employees of Sky Mavis — Axie’s developer — began receiving recruitment messages over LinkedIn private messaging. The messages seemed to come from a competing company, and encouraged the recipients to apply for a job.
One engineer was interested. According to the website The Block, the engineer pursued the opportunity, completing “multiple rounds” of interviews. Then they received their offer. All the details came in a PDF document, which they downloaded to their computer. I could tell you what happens next, but you probably already know.
According to a blog from Sky Mavis, quote, “the attacker managed to leverage that access to penetrate Sky Mavis IT infrastructure and gain access to the validator nodes.” End quote. Validator nodes, put simply, are the trusted entities which control what happens on a blockchain. Like a Supreme Court that approves or disapproves transactions based on majority vote. Axie runs on their own little blockchain called the “Ronin” network.
“[Oded] But the decentralized system that they built had only nine validators. OK? Which is like a very small amount of validators.”
According to the developers, the Ronin network was one day supposed to have more than 100 validator nodes, very few of which would be controlled by the company itself. The goal being to prevent the very scenario that ended up occurring, when they had just 9.
“[Oded] if you build a system that serves millions of users and have transactions of hundreds, of millions of dollars, you cannot have nine validators. [. . .]
because if for example a hacker managed to get 51 percent of the validators, then he can approve the transaction.”
Through the hacked employee account, the attackers managed to secure the private keys to five validator nodes — more than half of the total. With a majority of these Supreme Court judges, they had the power to deny or approve anything that happened on the blockchain and in the game. So they generated two withdrawal transactions from the game into their own account.
Two weeks after the news broke, the U.S. Treasury Department identified those attackers as the Lazarus Group — North Korea’s premier APT, known for using cybercrime to fund the Kim Jong-Un regime.
From this one phishing attack against a single NFT video game, they walked away with more money than they could’ve ever dreamed of stealing from any ordinary corporation, bank or government; probably more than all of their other cyber campaigns combined. A total of 625 million dollars.
So is it any wonder? Tons of money, easy marks. Nobody is more excited that you’re getting into NFTs than your future hackers.