In a significant development highlighting the vulnerability of digital assets, a recent case has come to light involving the theft of cryptocurrency and non-fungible tokens (NFTs) through the impersonation of the OpenSea marketplace. The defendant, Soufiane Oulahyane, is accused of employing spoofing techniques to gain unauthorized access to victims’ cryptocurrency wallets and NFT holdings.
According to the four-count indictment unsealed by the United States Attorney’s Office for the Southern District of New York, Soufiane Oulahyane devised a scheme in September 2021 to spoof the login page of OpenSea, the largest NFT marketplace. Utilizing paid advertisements on a popular search engine, Oulahyane manipulated search results to ensure his spoofed version of the OpenSea website appeared first when users searched for “opensea.”
“As alleged, Soufiane Oulahyane used a common cybercrime technique to steal victim cryptocurrency and NFTs. ‘Spoofing’ is one of the oldest tricks in the criminal playbook. Oulahyane adapted this old tool for use in a new and developing arena – the crypto space. The charges unsealed today should serve as a reminder that digital assets, such as cryptocurrency and NFTs, are not immune from cyber fraudsters and that my Office is committed to prosecuting these fraudsters both here and abroad.” -U.S. Attorney Damian Williams
Spoofing the OpenSea Login Page
Oulahyane meticulously crafted the spoofed website to resemble the authentic OpenSea login page, tricking unsuspecting victims into believing they were accessing the legitimate marketplace. When victims entered their login credentials or other private information on the spoofed site, their data was automatically sent to an email account controlled by Oulahyane.
One victim, referred to as Victim-1, unknowingly clicked on the link that led to Oulahyane’s spoofed OpenSea login page while searching for “opensea.” Victim-1, believing the website to be genuine, entered the seed phrase to their cryptocurrency wallet. This action unwittingly provided Oulahyane with access to Victim-1’s cryptocurrency wallet.
The Theft
With the stolen seed phrase, Oulahyane gained unauthorized access to Victim-1’s cryptocurrency wallet. He promptly transferred the stolen cryptocurrency to a different wallet beyond Victim-1’s control. Moreover, Oulahyane proceeded to sell approximately 39 of Victim-1’s NFTs on the OpenSea marketplace. The fraudulent proceeds from these sales were transferred to another wallet outside of Victim-1’s control.
In total, OULAHYANE stole cryptocurrency and NFTs from Victim-1 that Victim-1 had paid approximately $448,923 to obtain.
Stolen NFTs: The NFTs sold by Oulahyane included artworks from popular collections such as the “Bored Ape Yacht Club,” “Meebit,” “Bored Ape Kennel Club,” and “CryptoDad” series. These NFTs, which Victim-1 had acquired for various amounts of ETH, amounted to a total loss of approximately $448,923.
Legal Consequences
Soufiane Oulahyane, currently in custody in Morocco for unrelated charges, has been charged with wire fraud, the use of an unauthorized access device, affecting transactions with an access device to receive something of value, and aggravated identity theft. If convicted, he could face a maximum sentence of 20 years in prison for wire fraud, 10 years for the use of an unauthorized access device, 15 years for affecting transactions worth over $1,000, and a mandatory consecutive sentence of two years for aggravated identity theft.
This case serves as a stark reminder that even in the realm of digital assets like cryptocurrency and NFTs, cyber fraudsters are active and continuously adapting their techniques. The unsealing of the indictment against Soufiane Oulahyane underscores the commitment of law enforcement agencies, such as the Federal Bureau of Investigation, to hold individuals accountable for malicious cyberattacks targeting U.S. interests. As the NFT and cryptocurrency market continues to expand, it is crucial for users to remain vigilant, exercise caution, and adopt security best practices to protect their valuable digital assets from such fraudulent schemes.