NFT marketplace OpenSea is currently investigating an alleged phishing attack that caused dozens of users to lose valuable assets. Reporting from Engadget (21/2), this incident began on Saturday night, when someone stole hundreds of NFTs on the platform.
Over the course of several hours, attackers targeted 32 accounts and had obtained 254 tokens, according to data compiled by Blockchain security service PeckShield. The stolen NFTs included tokens from the Bored Ape Yacht Club and the Azuki collection. According to estimates by Molly White, creator of the blog Web3 is Going Great, this theft grossed 641 Ethereum, or about $1.7 million.
“We believe this is a phishing attack,” Devin Finzer, co-founder and CEO of OpenSea said in a tweet. “We don't know where the phishing is happening, but we can rule things out based on our conversations with the 32 affected users.”
As far as we can tell, this is a phishing attack. We don't believe it's connected to the OpenSea website. It appears 32 users thus far have signed a malicious payload from an attacker, and some of their NFTs were stolen.
— Devin Finzer (dfinzer.eth) (@dfinzer) February 20, 2022
According to Finzer, OpenSea was not a vector for the attack and neither exploited a previously unknown vulnerability in the platform's printing, buying, selling and listing features.
“The ending with OpenSea email is not an insect vector,” says Finzer. “In fact, we are not aware of any affected users receiving or clicking links in suspicious emails.”
According to The Verge, the attack likely took advantage of aspects of the Wyvern Protocol. Many Web platforms, including OpenSea, use open source standards to support their contracts.
A thread on Twitter suggests those targeted may have signed a clause agreement that would allow attackers to transfer NFTs without Ethereum.
In addition, OpenSea has recently been involved in controversy because one of its employees resigned after using inside information to profit from the NFT downturn. Fake, plagiarized and spam tokens are also common on the platform.