Author

Topic: OpenSea Allegations regarding security of customers continues - Accused of Theft (Read 78 times)

member
Activity: 198
Merit: 10
COMBO Network ex COCOS-BCX
First, I don't think that just because some people are losing interest in them means that they're necessarily on the way out. After all, there are still plenty of folks who are really excited about what NFTs can do and what they represent.

That being said, there are certainly some risks involved with NFTs, as we can see from the theft cases you mentioned. Then, it's really unfortunate when something like that happens, and it's understandable that people would be upset about it.

In my opinion is that the fact that OpenSea was sued for the stolen NFT is a sign that people are taking these issues seriously and are willing to hold companies accountable when they make mistakes.

As for the question of what happens when an NFT is stolen, it seems like the current protocol is to blacklist the item and reduce its value to zero. While this might seem harsh, I think that it's important to have some kind of system in place to discourage theft and to protect both buyers and sellers.
legendary
Activity: 1932
Merit: 1273
This is tricky situation, how does OpenSea supposes to act in "timely fashion" manner considering any hack does not have any prejudice within the blockchain senses? Further investigation is required to address an issue like that. OS locking the account might contribute as their response to deal with the situation, though, it might be the best one.

Both the user and OS are not completely free from error, though, such responses to OS accusations of theft seem to imply the user getting butthurt over their own negligence. We need to understand the root nature of things that are being utilized, which is a wallet that is fully under our control and any third party has less control over it.
legendary
Activity: 2562
Merit: 1441
Opensea being built upon ERC-20 and similar token standards. I wonder how difficult it would be to implement a feature to return stolen items to their rightful owners?

It seems most of these successful attacks are built around phishing approaches. Where a link takes them to a website that appears identical to the actual website. Except, its located on a different server. The URL will be masked or appear slightly different. The unfortunate target enters their user name and password into the fraudulent site, which captures their data. This can be a difficult route of intrusion to defend against. Stronger 2FA and beefed up security standards cannot address it as the attack never occurs on the legitimate website. But rather a fascimile.
full member
Activity: 1092
Merit: 227
NFT is on the verge of "off the trend" slowly however there is still craze about it all the time. When we say its going out of trend it's not entirely true for that portion of community who is engaged with them since first time or initial contact. However, for those who never understood the importance (if any) of the NFT's already by passed the vibe check for the same.

In the recent case, same NFT verse got hit by stolen case and it was around $500,000 in NFT valuation. The theft case happened on the popular platform that is OpenSea and in everyone's surprise the user actually sued OpenSea itself for stolen NFT.

What happens if NFT is stolen? Well in that case the NFT is blacklisted and it's value goes down to the zero. That's what the OpenSea protocol is there currently.

There are many attacks that happened on OpenSea for example.
Kevin Rose who is creator and collector of NFT's got his $1.1 million worth of NFT stolen in a phishing attack.

When Rose tried to get the NFT's back in cooperation with OpenSea, they started arguing about it and they even blocked his account. This itself proves the point that OpenSea did a very wrong move against their user.

On the other hand guy named Acres also lost his two of the NFT's and claimed that the losses are worth $ 500,000 thus he is eligible to sue marketplace for that much equivalent amount.

Please read the 10 min article as an example of what centralized market looks like and how to avoid it in the long run. This article discuss what happened between OS and Users and their conversation. Amazing read for good experience about the NFT and how to avoid them.


Quote
OpenSea has a security and fraud problem and if one account holder on the NFT marketplace is right, it is negligent in protecting its customers and guilty of extortion.

As prominent NFT creator, collector and venture capitalist Kevin Rose would no doubt attest, theft in the NFT space is a serious problem. He lost a part of his personal collection valued at $1.1 million in a recent phishing attack, although that was nothing to do with OpenSea.

Robert Acres, as we detail below, also fell victim to an NFT phishing attack. Not as high-profile a user of OpenSea as Rose, Acres had two NFTs stolen in a phishing attack.

He alleges that far from promptly trying to help him retrieve his property and prevent resale by the thieves, as OpenSea is reported to have done with Rose, the leading NFT marketplace ended up locking Acres out of his account for three months.

During that time Acres alleges he suffered large losses on the 58 NFTs in his account because he was unable to trade them.

The two now blacklisted stolen NFTs can be seen listed on OpenSea, with a warning that the items cannot be bought or sold due to suspicious activity:
https://opensea.io/assets/ethereum/0xd2f668a8461d6761115daf8aeb3cdf5f40c532c6/2299

https://opensea.io/assets/ethereum/0x4db1f25d3d98600140dfc18deb7515be5bd293af/5297

Acres’s stolen NFTs were sold by the thief for 0.5 and 0.7 WETH.

However, Acres estimates his loss resulting from not being able to trade his remaining NFTs on OpenSea at as much as $500,000 and is suing the NFT marketplace – OpenSea is a trading name of Ozone Networks Inc – to make good those losses.

He has hired the services of Traverse Legal, with managing partner and trial attorney specializing in blockchain and web3, Enrico Schaefer, heading up the team.

OpenSea user says he was locked out of his account after complaining
Acres alleges that when he complained about the slow response by OpenSea to the theft, it was then that the marketplace locked him out of his account.

According to the timestamped support communications with OpenSea seen by Cryptonews, dated July 12th 2021, the day the theft took place, Acres informed OpenSea of the theft prior to the sale of the stolen NFTs on the marketplace.

The transaction hash of the theft is shown on etherscan and timestamped at 01:38 PM UTC: https://etherscan.io/tx/0xa6bc538181d79b342cd69042eac74b9a64a1aeb99ed05d98d3f5c09a6f7bf59d

The sale took place one hour later at 02:38 PM UTC: https://etherscan.io/tx/0xd2327c65e66d0ac94282580f0a8d64d1cd155faa53d7613565d55c6ed9862b25

The email reporting the theft to OpenSea support is timestamped at 02:11 PM UTC.

The tx hashes show that there was half an hour between OpenSea being alerted to the theft and the subsequent sale on the marketplace.

Admittedly it could be argued that the half-hour window didn’t give OpenSea much time to react, but if this was legacy finance, where automated surveillance systems are in operation, processes would be in place to quickly suspend suspect activity.

But, given its lack of action to prevent the resale, it might be reasonable to conclude that OpenSea doesn’t appear to have had sufficiently robust systems in place to be able to respond to such alerts from users in a timely fashion.

OpenSea’s initial response appears to be deliberately disingenuous
In part, in its only public statement made on the matter to date, an OpenSea spokesperson, stated: “The theft in question took place outside of OpenSea and the items were sold before OpenSea became aware of the reported theft. Soon after we were notified and became aware, we disabled the items and the user’s account has since been unlocked.”

The first clause of the first sentence is correct – it was a phishing attack that had nothing to do with OpenSea. But, if Mr Acres is correct, the rest of that snippet from the statement is wrong. OpenSea, as shown above, was informed of the theft before the sale took place.

The second sentence is disingenuous to say the least as it could be taken to infer that the user’s account was unlocked soon after the two NFTs were disabled, which was not the case – Acres’s account was locked for three and half months.

Indeed, it appears it was when Acres took issue with OpenSea’s failure to prevent the sale of the stolen NFTs, that his account was locked.

In an email to Cryptonews.com, Acres writes:

“Frustrated and believing OS bore some responsibility for what had occurred, I noted that OS should be liable for monetary damages. In response, OS locked my account without notice, request, or permission.”

Acres goes on to state that “OS demanded that I swear under oath that my wallet has not been compromised (meaning OS would not be liable)”.

According to Acres’s account, when he refused to comply with the alleged demands from OpenSea, he was locked out of his account. Acres further claims that OpenSea, as a result of the lock out, prevented him from trading his 58 NFTs on the OpenSea marketplace.

OpenSea user claims the NFT marketplace “can seize your NFT assets”
Acres writes in his email to Cryptonews.com: “OS represents that its users’ NFTs are not in the custody of OpenSea. Yet, most OpenSea members are unaware that OS can seize your NFT assets and preclude you from moving or trading your NFTs for days, weeks, months, or presumably forever, even if you did nothing wrong.”

The OpenSea help center page, clearly states the opposite to be the case:

“While we can prevent your items from being bought or sold using OpenSea's services, your items remain on the blockchain and are not in the custody of OpenSea.”

OpenSea would not of course be able to prevent a user of the platform from trading their NFTs on a competing marketplace. That means it may not be the case that, strictly speaking, OpenSea “can seize your NFTs”, as Acres claims

However, in practice, most of the liquidity available in the NFT market is to be found on OpenSea. Here we see writ large the limitations of crypto decentralization in practice as opposed to its theoretical intended outcomes.

In a defense of the accusation he levels against OpenSea regarding the lock on his account, Acres told Cryptonews: “Once your wallet is 'locked' or 'blocked' all the items in your wallet are flagged as suspicious and thus no matter what wallet they are transferred to they will never be able to trade on OpenSea until they remove the flag against your account.

“Currently, OpenSea commands over 60% of all NFT trading volume and back when this incident happened it was far greater.

“The trading volume left being split by competitors means that you are not able to get the most competitive pricing and thus again builds into the financial losses being accrued by myself for a wallet lock that was placed on me against my will.

“Most individuals that trade on any OS competitor marketplace often end up using OS as the resale market after they purchase on a competitor's marketplace.

“So again, in this case, all my NFTs would carry this 'suspicious' tag when shown on [the] OS marketplace[;] the new buyer also cannot sell it and thus when they are doing their due diligence during the buying process they wouldn't purchase them as re-sale options would be limited.”

How is that line of argument likely to play out in a court of law?

OpenSea stands accused of attempted extortion
We put the same question, regarding the complainant being free to trade his NFTs elsewhere, to Acres’s lead lawyer, Enrico Schaefer, managing partner at Traverse Legal.

This was his response.

“OpenSea acquired Mr. Acres' assets by assuming control of his account, which constitutes the tort of conversion [lawyer-speak for a form of theft]. This gives individuals who are the victims of theft the legal right to take legal action to recover their damages.

“In essence, conversion provides one with the ability to file a lawsuit to obtain damages for the conversion over their property. Conversion occurs when a person, with the intention and without proper authorization, takes control of another person's property or funds, thereby limiting their ability to access it.

“The control does not need to be exclusive. The lack of response from OpenSea and the attempted extortion to unlock the account must have been a surprise and a cause for concern, as it would be for anyone in a similar situation.”

Why didn’t OpenSea respond in a timely fashion once alerted to the NFT theft?
Furthermore, Traverse Legal on behalf of Acres claims that OpenSeas had three hours to act before the sale of the stolen NFTs took place on its platform.

“If OpenSea had not waited over three hours to actively engage, the NFT could have been locked and potentially returned to his wallet,” writes Traverse Legal.

In fact the lapse of time between being alerted to the theft and their subsequent sale was actually only half an hour, as we mentioned earlier, according to Cryptonews analysis.

Nevertheless, after all of the well-documented issues on the site faced by its users, from insider-dealing to theft, OpenSea should surely by now have implemented systems and processes, automated and human, to immediately pause suspicious activity when it is flagged.

Leaving the timings aside, surely OpenSea would be able to defend themselves on the basis that Acres would have been free to trade his 58 NFTs listed on OpenSea at another venue?

“This matter is best directed to Robbie, who experienced the situation firsthand,” wrote Schaefer in an email to Cryptonews.

He continued: “However, I have previously represented clients facing similar issues. The assertion that ‘a lesser platform with fewer buyers and sellers’ could have been used instead is not a valid excuse for OpenSea to shirk its responsibilities to its platform members.

“OpenSea is the preferred platform for individuals seeking to maximize demand and pricing pressure in the market. Using a platform with a significantly lower sales volume would have resulted in a liquidation sale rather than substantive trading activity.”

The three questions for OpenSea that remain unanswered
What does OpenSea have to say about all this, beyond their initial statement shared with media outlets?

We sent OpenSea the following questions:

Why was Mr Acres locked out of his account against his will?
 
Why was Mr Acres required to perjure himself, as is alleged, in order to get his account unlocked?
 
Will Mr Acres receive compensation for losses allegedly incurred in the time that he was unable to access his account?
A week later and we are still yet to hear back from OpenSea.

It is surely the height of irony that a marketplace that trades products based on a technology whose use value is grounded in its ability to securely assign unique identities to digital and non-digital assets and other property, is not able to prevent the proliferation of fraudulent listings and the sale of said stolen assets.

Does OpenSea put the amassing of trading fees revenue above the interests of its users?

We gave Acres the final word. On telephone, in a conversation in which he agreed that the correct timing is half an hour as regards the report of the theft and the sale of the stolen property, he nevertheless insisted: “The major [of his complaint] part is the fact that they locked my account for three and a half months and asked me to perjure myself.

“I completely understand that it is a phishing scam and that acting within 45 minutes to an hour of me being notified myself and then notifying OpenSea – and that half-an-hour stretch in terms of me notifying them that it has been stolen and hoping that they could take some sort of action – is pretty slim, I do completely adhere to that. 

“But everything that follows on from that transaction is negligence 101.”

OpenSea Accused of Theft, Negligence and Extortion by User Suing NFT Marketplace for $500,000

Jump to: