Hacker steals over $1.7 million worth of NFTs from OpenSea users
Using a phishing attack, apparently
What just happened? OpenSea, a service recently valued at over $13 billion, has seen at least 32 of its users affected by what was apparently a phishing attack, resulting in millions of dollars worth of NFTs being stolen.
The Verge reports that 254 tokens purchased from OpenSea were stolen from the wallets of users between 5 PM and 8 PM ET on Saturday. Some of the more expensive NFTs came from Decentraland, Bored Ape Yacht Club, and Mutant Ape Yacht Club—here’s a complete list of pilfered digital assets.
Devin Finzer, the co-founder and CEO of OpenSea, has reassured users that the site is fine. He added that “as far as we can tell,” the victims had fallen for a “phishing attack.” He linked to an explanation on how the hack was enabled by exploiting the Wyvern Protocol used for most NFT smart contracts. Targets signed part of the contract, while attackers completed the rest, transferring ownership of the NFTs. Exactly how the hackers achieved this is unclear.
As far as we can tell, this is a phishing attack. We don’t believe it’s connected to the OpenSea website. It appears 32 users thus far have signed a malicious payload from an attacker, and some of their NFTs were stolen.
— Devin Finzer (dfinzer.eth) (@dfinzer) February 20, 2022
But there are those who disagree with the phishing attack claim. Kotaku notes that some victims say the only common link between them was that they all manually migrated their NFT collections to a new smart contract on the platform, which was performed because it “fixes an issue with inactive listings that was allowing scammers to swipe valuable NFTs from collectors on OpenSea.”
HEY EVERYONE. I CONNECTED WITH A FEW OTHER PEOPLE WHO GOT HACKED JUST NOW.
ALL OF US ONLY HAVE ONE THING IN COMMON.
ALL OF OUR STOLEN NFT’S WERE ONES WE MANUALLY MIGRATED ON OPENSEA. @opensea you have so much explaining to do now.
— AlabasterJefferson (@AJFromDiscord) February 19, 2022
Again, though, others dispute this claim. “I checked every transaction,” said Neso, the user who explained how the Wyvern order was exploited. “They all have valid signatures from the people who lost NFTs so anyone claiming they didn’t get phished but lost NFTs is sadly wrong.” OpenSea has also denied that the new contracts were the origin of the hack.
Exactly how much the stolen NFTs were worth is being disputed, too. Finzer said the attacker has $1.7 million in his wallet from selling some of the stolen tokens, but another report claims the perpetrator made $2.9 million. It also appears that some of the NFTs along with some of the money they were sold for were returned to the owners.
It’s not been an easy time for OpenSea recently. It limited the number of NFTs people could create using its free minting tool to 50 last month, explaining that over 80% of the tokens created using this feature were counterfeit, used plagiarized content, or were spam. But the service reversed its decision and lifted the limit following an outcry from users.