A Hacker Was Selling a Cybersecurity Exploit as an NFT. Then OpenSea Stepped In

A dark twist on NFTs: a denial-of-service zero-day attack sold with full rights of ownership transferred to the successful bidder.

Mar 9, 2021 at 9:04 p.m. UTC
Updated Sep 14, 2021 at 12:23 p.m. UTC

With all the attention currently on non-fungible tokens (NFTs), there may be a new, darker side emerging – the auctioning of cybersecurity exploits. 

In a tweet Monday, Matthew Hickey of Hacker House introduced the “zero-day collection,” an “exclusive HackerFantastic authored [zero-day] exploit as part of our NFT proof-of-concept sale series.”

The first digital asset for sale in the collection is for Quake3, and Hickey termed it “highly collectable hacker artwork.”

While it may seem harmless, the idea of selling a cyber exploit raises questions about ethics and identity when in the wrong hands.

The NFT

NFTs are digital assets that represent a wide range of unique tangible and intangible items, from sports cards to virtual real estate. Unlike bitcoin and other cryptocurrencies, whose units are meant to be interchangeable, each NFT contains distinguishing information that makes it distinct from any other NFT. 

In this case, the token to be auctioned was for a cybersecurity exploit.

The listing, on the OpenSea NFT marketplace, advertised the token as a “post-authentication memory corruption vulnerability in ioquake3 engine. The issue can be exploited to cause a denial-of-service condition, code execution has been deemed unlikely. This issue has been tested on OpenArena, but should be present in all 28 games using the idTech3 (ioquake3) engine.”

“A proof-of-concept exploit is redeemed with this NFT, which contains an overview of the vulnerability and can be used to reliably trigger the issue on networked game servers. This is a single-sale item sold exclusively one time, no additional information will be provided publicly or resold by the discoverer of the issue,” the listing said.

OpenSea took down the auction and listing after it was posted yesterday. Hickey called that move “digital censorship of a content creator.” 

“I believe that they took the wrong decision here in becoming arbitrary censors of content, and I am speaking with the company to get my auction restored,” said Hickey. “I would not recommend anyone to use OpenSea in light of the circumstances.”

The token still exists in Hickey’s wallet, however. OpenSea has not responded to a request for comment by press time. 

“When I learned about NFT's and their uses for the transferring of digital assets such as collectibles, I immediately thought of digital markets such as the sale and distribution of exploits,” said Hickey in an email. “I believe it is something that may be adopted for the sale of not just exploits, but other computer code that digital content creators may wish to share in a collectible or limited edition fashion.”

“I decided to use this vulnerability to test the feasibility of NFTs to sell such exploit code as opposed to traditional sales to vulnerability acquisition programs. Everyone loves a good first-person shooter and this seemed like a good vulnerability to test a proof-of-concept sale system.

He may add more exploits to the collection in the future.

What is a zero-day exploit?

A zero-day exploit is an exploit that takes advantage of a vulnerability that hasn't previously been identified. But it must meet certain criteria, according to John Jackson, a security engineer. 

It would be a vulnerability affecting a wide target audience and requires an application or piece of hardware to be updated to a new version, he said. 

Once a zero-day exploit is revealed, it’s basically a race between those who want to exploit it and those who want to patch the affected system. 

“I believe hackers are a curious set of people, I'm sure NFTs will be used to deliver and trade zero-days or proof of concept exploits for existing vulnerabilities,” said Jackson in a message. “If there's money to be made, hackers will be there – and not all hackers are going to operate ethically.”

While Hickey’s initial NFT is relatively low stakes for a zero-day, there is the question of whether using NFTs in this way could lead to ethical or legal issues down the line. The selling of a zero-day exploit like this can serve as a valuable commodity for hackers and is seemingly legal.

Zero-day exploits are valuable in the context of bug bounty programs (with one fetching US$2 million) but they’re also valuable in underground marketplaces. One report found that, on average, a zero-day exploit takes about 69 days to patch. 

“It's a denial-of-service zero-day attack being sold with full rights of ownership being transferred to the successful bidder,” said Hickey. “If someone wishes to buy it and disclose it to the project and claim credit for the finding, they can, or they may wish to keep it a secret and trade it with others in the future. Once sold, the item is theirs to do with as they see fit.”

Why an NFT?

Hickey said he was drawn to NFTs as a content creator.

“I can create an item that can be re-sold or redistributed and whenever such activity is undertaken. I am paid a commission for my efforts on all such future sales,” he said. 

That could be a skinned customized version of a video game, a unique version of a remote access tool or even specially designed software for bypassing copyright protections. 

On OpenSea, users can create secondary sales fees for their marketplaces. 

There may be risks involved for hackers going this route, according to Jackson. 

“If anything, it's more dangerous to the hacker than society,” he said. “Before NFTs they would be shared and sold through brokers. As an NFT there's visibility on the existence of an exploit. It seems like a way to gamble away your zero-day.”

Stephen Palley, a partner at law firm Anderson Kill, said that if somebody were to use an NFT of an exploit to gain access to someone else's computer system in the United States, it would probably be a violation of the Computer Fraud and Abuse Act. However, the act of selling that NFT is more a question of ethics. 

“Publishing an exploit without remuneration is probably protected by the First Amendment,” he said. 

Preston Byrne, also a partner at Anderson Kill, had a slightly different take. 

“Selling zero-days was the third count in the Ross Ulbricht indictment, so selling them on OpenSea is probably a really stupid idea,” he said, referring to the Silk Road founder

Messing around with zero-days and leaked data is dangerous business, he said. It's fine to publish this information but it's very problematic were it to be used to intentionally facilitate the commission of a crime. 

“In a decentralized market context one also has to consider the likelihood that such a tool would be purchased by America's adversaries in relation to which export controls and Office of Foreign Assets Control (OFAC) regulations apply.”

The OFAC enforces things like economics and trade sanctions. 

The risk and reward

Hickey said he’s not worried so much as  intrigued to understand how NFT's could be used to change existing business models for the sale and distribution of exploits and security research overall. 

NFT’s offer an alternative to vulnerability acquisition programs in that a person can sell their research directly without the need for brokers or intermediaries. 

“Whilst there will always be a risk that someone can take dual-use software and misuse it, exploits and related code are already highly collectible traded commodities, thus I don't see any elevation of risks through using new methods to engage in there digital commerce,” said Hickey.

Researchers today will often publish the results of their findings for no financial gain or make use of bug bounty programs for rewards and NFT's could offer such researchers an alternative way to monetize their research efforts, according to Hickey. 

The vulnerability he is selling is of low-risk and more of an academic curiosity in one of his favorite video games to test the technology while simultaneously investigating how NFT's could be used in such instances. 

“Whilst there will always be some who seek to misuse new technologies for nefarious means, it has yet to be seen if attackers will move from shadowy black markets and brokers to more public sales of their attacks,” he said. “As a market disruptive technology, I see NFT's as offering a new way for content creators to monetize their work and see no reason why exploits and cyber security research cannot be apart of that change.”

DISCLOSURE

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups.