OpenSea accounts hacked: NFTs worth $1.7 million stolen from world's largest NFT marketplace
India Today
NFT marketplace OpenSea experienced a phishing attack on several of its users after the platform announced its plans to migrate to a new smart contract. OpenSea is now investigating the attack, which seems to be inactive for more than 15 hours now.
Users of OpenSea, the world's largest NFT (non-fungible token) marketplace, have been hit by a phishing attack that saw NFTs worth millions of dollars being stolen off their accounts. The company has since been investigating the attack and as per its latest update, it claims it to be a phishing attack that originated outside of the OpenSea website.
The attack targeted a series of NFTs on OpenSea on Sunday, including some from the famous collections like Bored Ape Yacht Club, Mutant Ape Yacht Club, and others. The targeted NFTs were the ones that were soon to be delisted from the platform following its migration to a new smart contract from the previous Ethereum blockchain. The platform had announced a one-week deadline for this migration.
The urgency for the transition created a window of opportunity for the hackers to launch a phishing attack on the NFT holders. They shot fraudulent emails to the OpenSea NFT holders, under the pretext that the emails and the fake webpage therein were the gateways for the users to get their NFTs listed on the new smart contract. As the users authorized the transition through the fraud email, their NFTs were transferred to the attackers.
A report by The Vice points at blockchain records to show that the attacker was able to transfer numerous NFTs this way to their own address. After having sold some of the NFTs, the attacker's wallet contained more than 600 Ethereum worth about $1.7 million of stolen NFTs.
OpenSea Co-Founder and CEO, Devin Finzer first acknowledged the attack through a tweet, mentioning that the team was in touch with all the affected users. At the time, a total of 32 users were said to be victims of the phishing attack. The latest update by the company, however, reduces this number down to 17 users.
The company justifies the drop in numbers within the tweet. It states that the original count "included anyone who had interacted with the attacker," while the recent count is more accurately represents the accounts that were actually victims of the phishing attack.
Among its latest updates, OpenSea shared that the attack "does not appear to be active at this time." Its investigation found that there has been no activity on the malicious contract in over 15 hours now.