- A phishing scam orchestrated on OpenSea users has seen 32 robbed of their NFTs after signing them away to a malicious smart contract.
- The attacker(s) reportedly took advantage of the fact that the marketplace is currently requesting its users to move their collectibles to a new smart contract.
On Feb. 19, hundreds of non-fungible tokens (NFTs), worth at least 1.7 million, disappeared from OpenSea user wallets.
According to the platform’s co-founder and CEO, Devin Finzer, what transpired was a phishing attack. A total of 32 users signed the attacker’s malicious payload between 5-8 P.M. EST on Saturday.
Presently, OpenSea is in the process of requesting its users to migrate their NFTs from the Ethereum blockchain to a new smart contract. It is said that the victims received emails from someone impersonating the OpenSea team. Just like OpenSea’s legitimate request, they were prompted to migrate their Ethereum listings to a new smart contract – essentially granting ownership of their NFTs to the attacker.
I know you’re all worried. We’re running an all hands on deck investigation, but I want to take a minute to share the facts as I see them:
— Devin Finzer (dfinzer.eth) (@dfinzer) February 20, 2022
Thereafter, the attacker flipped some of the NFTs for a profit. Strangely, the actor returned some NFTs to their rightful owners, along with 50 ETH to one of his victims. The latest reports show the attacker now holds $1.7 million worth of ETH from the sale of some of the NFTs. Additionally, he holds 3 Bored Ape Yacht Club (BAYC) NFTs, 2 Cool Cats, 1 Doodle, and 1 Azuki.
OpenSea: Phishing scam, not a Hack
Initially, the theft was assumed to be a breach of OpenSea’s codebase, leading to the theft of $200 million, according to Twitter user Mr. Whale. However, Finzer dismissed these claims, asserting that it was, in fact, a phishing scheme. His claim was, however, rejected by Twitter user Jacob King, who said a flaw in the marketplace’s code had led to one of the largest ever NFT exploits.
At the time, the executive noted that the OpenSea team was yet to determine the website that had been ‘tricking users into maliciously signing messages.” In another thread, he said the OpenSea team was actively “working with users whose items were stolen to narrow down a set of common websites that they interacted with that might have been responsible for the malicious signatures.” Finzer also urged users not to click on any links outside of opensea.io.
With growth, comes challenges
That malicious actors are targeting the NFT marketplaces is not a surprise considering the vast growth and mania the industry has experienced in the last year. For instance, OpenSea, the largest NFT marketplace yet, raised $300M in its latest funding on Jan. 4. The company is now valued at a whopping $13.3 billion.
With that, has come phishing scams, such as that experienced by several high-value BAYC holders. Hackers also recently exploited a bug on OpenSea that allowed them to purchase NFTs at highly discounted prices for flipping.