NFT Phishing Hack
NFT marketplace OpenSea is investigating a “phishing attack” that no longer appears to be active, the company’s chief executive said late Saturday.
On Saturday, attackers stole hundreds of NFTs from OpenSea users, causing a late-night panic among the site’s broad user base. A spreadsheet compiled by the blockchain security service PeckShield counted 254 tokens stolen over the course of the attack, including tokens from Decentraland and Bored Ape Yacht Club.
“We don’t believe it’s connected to the OpenSea website,” Devin Finzer, who is also its chief executive officer, said on Twitter. “It appears 32 users thus far have signed a malicious payload from an attacker, and some of their NFTs were stolen.”
OpenSea was in the process of updating its contract system when the attack took place, but OpenSea has denied that the attack originated with the new contracts. The relatively small number of targets makes such a vulnerability unlikely, since any flaw in the broader platform would likely be exploited on a far greater scale.
Based on the findings of PeckShield, a blockchain security company that audits smart contracts, the rumored exploit was “most likely phishing,” which is when a malicious contract is hidden within a spoof link.
One of the possible sources of the link, according to the company, was the same mass email about the migration process that was sent out earlier.
The attacker’s wallet contains 641 Ethereum, which is worth approximately $1.7 million, as well as a selection of NFTs that have been stolen.
I am not a financial advisor and my comments should never be taken as financial advice. Investments come with risk, so always do your research and analysis beforehand.