OpenSea says 32 users lost up to 254 tokens over at least three hours last Saturday when the hacker was on the loose. The damage is estimated at $1.7 million.
A hacker who carried out a phishing attack caused late-night panic among OpenSea users after stealing NFTs worth over $1.7 million. Company officials from the world’s largest NFT marketplace made great efforts on Sunday to reassure users that it was safe to mint, buy, list, and sell NFTs on OpenSea. However, they maintained that an investigation was ongoing.
According to a tweet by OpenSea co-founder and CEO Devein Finzer, the hacker attempted to trick 32 users into signing a malicious payload that authorized the transfer of their NFTs for free to the attacker. Finzer, who said he didn’t yet know where the attack occurred, affirmed that OpenSea was confident they were dealing with a phishing attack outside OpenSea. He stated:
“We have confidence that this was a phishing attack […]; we don’t know where the phishing occurred, but we’ve been able to rule out a number of things based on our conversations with the 32 affected users.”
Persuaded to sign a malicious contract
The attacker sent what looked like official emails from OpenSea to the affected users asking them to transfer their Ethereum listings to a new smart contract. According to a spreadsheet compiled by Blockchain security service PeckShield, the stolen NFTs are tokens from the Bored Ape Yacht Club and Azuki collections. One estimate by Molly White, the creator of the Web3 is Going Great blog, pegged the haul at 641 Ethereum.
What must have added to the confusion was the fact that OpenSea was actually in the process of asking users to transfer their NFTs from the Ethereum blockchain to a new smart contract, making the emails seem to be legitimate. As soon as the affected users clicked the email, they were persuaded to sign a malicious contract that allowed the attacker to take their NFTs and flip them, according to a site called “Web3 is going just great.
Victims had signed the malicious orders before OpenSea carried out its migration
OpenSea’s chief technology officer Nadav Hollander provided a technical rundown of the attack on Sunday. He dismissed the possibility that the attack was linked to the migration to the new Wyvern contract system. He said that the victims had signed the malicious orders before OpenSea carried out its migration and “are unlikely to be related to OpenSea’s migration flow.” Hollander explained:
“32 users had NFTs stolen over a relatively short time period. This is extremely unfortunate, but suggests a targeted attack as opposed to a systemic issue […] we are actively helping affected users and discussing ways to provide them additional assistance.”
The company recently raised $300 million in new funding on a valuation of $13.3 billion on Jan. 4. It was noted that the valuation was remarkable and reflective of the mania surrounding NFTs. It’s not surprising that hackers would target web3 and NFT holders on the OpenSea marketplace, given the surge in the popularity of NFTs and the OpenSea marketplace.