The worldโs largest NFT marketplace, OpenSea, suffered a massive heist this weekend as 254 unique non-fungible tokens (NFTs) were stolen.ย
Thirty-two OpenSea wallets were emptied of NFT assets during the intrusion, which later appeared to be a phishing attack. The damages to affected parties amounts to an estimated $3 million in total.
What Happened?
Multiple OpenSea users opened their NFT wallets on Saturday only to find them empty, and devoid of valuable assets, including NFTs from the Decentraland, Bored Apes Yacht Club, Cool Cats, and Doodle collections.
Sponsored
More than an hour after the losses were noticed, Openseaย reported an ongoing investigation into what โappears to be a phishing attack originating outside of OpenSeaโs website.โ
Soon after, OpenSea CEO Devin Finzer confirmed that the heist was the outcome of a phishing attack which caused 32 unfortunate users of the platform to sign a malicious payload from the attacker.
It was later determined that the hacker used a standard phishing email mimicking the official mail shared by OpenSea just a day before.
The malicious email urged users to migrate their tokens to the new smart contract before Friday, February 25th, otherwise all existing tokens would expire.
A day before the attack OpenSea announced its smart contract dedicated to removing inactive NFT listings from its platform. Following the upgrade, OpenSea users were required to transfer their old and expired NFT listings hosted on the Ethereum blockchain to a new smart contract. The upgrade was intended to make it difficult for bad actors to trick users into signing orders without them realizing what was happening.ย
By the end of 2021, the absolute majority of the OpenSea transactions (97%) were carried out on the Ethereum network. The popular marketplace currently offers cross-blockchain support, covering Ethereum, Polygon and Klaytn blockchains.ย
OpenSeaโs CTO Nadav Hollander later commented that none of the malicious orders originated from OpenSeaโs website, nor from the official companyโs emails. According to him, the orders were unrelated to OpenSeaโs migration flow.ย
The hacker thus exploited users by tricking them to visit an imposter website, where victims signed orders that appeared legitimate to migrate their NFTs to the new OpenSea contract. Instead of secure transfers though, users sent their NFTs to the hackerโs wallet, allowing the bad actors to take control of nearly $3 million worth of non-fungible tokens.
OpenSea later reported that the attack was active for a number of hours, but no malicious activity had been detected since.ย
The worldโs largest NFT marketplace promised that it would continue its investigation and keep users updated. As of Monday 21st, OpenSea has confirmed a narrowed list of 17 victims, contrary to the previously reported 32.ย
In a meantime, OpenSea users continue to report their drained NFT wallets, and blame the platform for denying an attack and minimizing a problem.ย
Not the First Time
The phishing attack is not the first time OpenSea users have been abused by malicious actors.
As recently as January 2022, attackers exploited a vulnerability in the worldโs largest NFT platform by accessing old NFT listings, buying them for old prices, and then reselling them for their contemporary price, which generated an instant profit of around 332 ETH ($800,000 USD).
