A celebrity’s million-dollar NFT was stolen. Is it true that even the most powerful encryption can’t withstand social engineering?

On April 2, Jay Chou posted on Instagram that his NFT had been stolen, and NFT quickly became the dominating topic on domestic social networking sites.

Image source: Jay Chou's Instagram

Since March last year, artist Beeple's NFT painting "Everydays: The First 5000 Days" was sold at a sky-high price of 69.37 million US dollars, and NFT quickly became popular.

During this year's Beijing Winter Olympics, the price of Bing Dwen Dwen's NFT digital collections skyrocketed nearly a thousand times, attracting countless people to rush to buy them.

The popularity of NFT industry can be described as "unprecedented". Open Baidu Index and search with "NFT" as the keyword, and you will find that in the past 30 days, the daily average of search index reached 12870, and the daily average of information index exceeded 73708. It should be noted that Baidu Index exceeding 500 is a high-heat content.

The highly talked-about NFT has quickly entered the public eye.

01

What is NFT?

NFT is so popular that many netizens want to ask, what is NFT?

I'd like to take this opportunity to chat with you all.

The full English name of NFT is Non-Fungible Tokens, which is generally translated into Chinese as “non-fungible tokens/non-replaceable tokens”.

Image source: Wikipedia

It is used to represent digital assets, that is, unique encrypted tokens of videos, audios, pictures, artworks, game props, etc., and is an entry in the blockchain. Imagine that buying an NFT with Bitcoin is equivalent to buying a painting with RMB, buying a prop with game coins, and it also comes with an anti-counterfeiting mark. Isn't this easy to understand?

Of course, this description is not very accurate. NFT does not represent the digital product itself, but the certificate of ownership of the work by the buyer. We can spend money to buy an NFT of a picture, and this behavior will be recorded on the chain and prove that I am the permanent owner of this picture. Moreover, NFT can be traded for the second time, resold and given to others.

Once this concept was launched, it was sought after by many celebrities, such as Jay Chou's monkey, and there is also a blue-haired monkey in the same series. If you have a friend who likes basketball, he may have used the following avatar, which is an NFT purchased by NBA player Curry for $180,000.

Curry's boring ape avatar, picture source: Curry's Instagram

Curry spent $180,000 to buy a headshot, and I right-clicked and saved it, did I make a net profit of $180,000? OK, I'm kidding.

Although I can copy and save this picture, the real owner of this blue monkey is Curry. Just like works of art in real life, everyone may own a 1:1 replica or poster of Van Gogh's painting "15 Sunflowers in a Vase", but there is only one real original work, and it is in the hands of only one person.

NFT is very valuable. The Bored Ape in which Jay Chou and Curry participated is one of the most popular NFTs in the world. The lowest price of a single item on the Internet is 108 Ethereum, which is equivalent to 350,000 US dollars. The Bored Ape stolen from Jay Chou is worth about 420,000 US dollars. You should know that when the Bored Ape project was first launched in April last year, the price of these monkey pictures was only 200 US dollars. In less than a year, the price has increased by about 2,000 times.

According to statistics from the data agency Nonfungible, the scale of NFT transactions reached US$14 billion in 2021. It is predicted that in 2022, the transaction record of the overseas NFT market may reach US$22 billion.

02

Why was it stolen?

NFT's huge value-added space and growth trend have not only attracted a large number of retail investors to join the market, but also caused black market gangs to get ready.

Black industry gangs generally steal user information through two ways. One is to directly attack the business system; the other is to target ordinary users and use Trojans/viruses to directly intercept user sensitive data, or to deceive users into handing over their information through phishing websites.

For example, if you want to steal Jay Chou’s NFT, you can directly attack the business system to get his account and password. Jay Chou’s NFT is stored in an Ethereum wallet, so to steal the monkey NFT, you must first crack his Ethereum key.

Ethereum secret key is a string of 256 binary digits. Each digit has 2 possibilities (0 or 1). To guess all 256 digits correctly, you need to try brute force at most 2²⁵⁶ times.

How huge is this number? 2²⁵⁶ = 180 billion billion * 180 billion billion * 180 billion billion * 180 billion billion.

Such a huge number is impossible to crack even with a supercomputer. Obviously, the black market team cannot do so recklessly.

The easiest way to succeed is the second one: fraud through non-IT means, that is, inducing victims to pass security authentication through communication and thus invading sensitive information.

Just like telecom fraud, well-trained fraud gangs first create tension through deceptive rhetoric. Then they send a fake SMS link or URL of a real platform to your phone. As long as you click on it and enter your account and password or other operations, your sensitive data will be completely exposed to the fraud gang.

Image source: Wikipedia

Jay Chou was lured into a disguised phishing website, entered his account number and password, and was eventually robbed.

According to foreign media reports, several NFT projects including Boring Ape were attacked by hackers on April 1. They all released phishing information to induce users to disclose data, but it is not clear how many users were harmed.

Media investigations show that this attack on multiple mainstream NFT projects involved two cryptocurrency wallet addresses, and the assets stolen in this phishing attack eventually flowed to an unusually active cryptocurrency wallet address. The wallet contained 1,447 Ethereum (equivalent to about $5 million), 6 million Tether (equivalent to about $6 million), and a large number of other cryptocurrencies.

The fact that Jay Chou’s NFT theft incident has become a hot topic also proves that NTF has high returns and advanced encryption methods, but the cost of theft is extremely low.

03

How to prevent theft?

No matter how powerful the encryption method is, it can't beat social engineering. As the price soars, the risk of being stolen by hackers is also increasing. If you want to avoid losses, you can only rely on yourself to strengthen prevention.

First: When dealing with websites with various fancy packaging, you must carefully identify them and make sure that the domain name of the URL you open is real.

Second: Given that the secret key and mnemonic phrase of a personal Crypto wallet cannot be modified, and the anonymity of the Ethereum address, once the key is leaked, not only will the wallet be unusable, but you will also be unable to find out who the hacker is. It is important not to leak the secret key and mnemonic phrase.

Third: If your wallet is accidentally authorized on a fake website, cancel the authorization in time.

The most important thing to remember is that the blockchain field is not currently protected by our country's laws. Once it is stolen, no one can help you get it back.

►►►

Audit expert: Tan Jianfeng, senior expert in the field of information security.

END

Tadpole Musical Notation original article, please indicate the source when reprinting

Editor/Yi Shan Yan Yu Zou Jiang Hu