Hackers Steal $1.7 Million Worth of NFTs from OpenSea Users

Last weekend, hackers carried out a phishing attack targeting users of OpenSea, one of the largest NFT marketplaces, and stole NFT tokens worth $1.7 million. Despite an ongoing investigation, the company assures users that minting, buying, listing, and selling NFTs on OpenSea is currently safe.

How the Attack Happened

According to OpenSea co-founder and CEO Devin Finzer, the attackers managed to trick 32 people into signing a payload that allowed their NFTs to be transferred to the scammers for free. While the company believes the victims fell for a phishing scheme, the exact details of the scam remain unknown. It appears the attack was carried out outside of the OpenSea platform.

Timing and Platform Migration

The attack occurred during OpenSea’s migration to a new Wyvern smart contract system, which began on February 18 and was scheduled to end on February 25. Finzer stated on Twitter that the OpenSea website was not the starting point of the attack. Interaction with emails from OpenSea was also ruled out as a vector, since none of the victims clicked on suspicious links. Clicking on the banner on the site to sign the new Wyvern smart contract, as well as using OpenSea’s migration tool, is completely safe according to the company.

Ongoing Investigation

OpenSea is currently interviewing affected users to narrow down which external sites they interacted with that may have led to the loss of their NFTs.

Expert Opinion

Nadav Hollander, OpenSea’s Chief Technology Officer, believes the incident is not related to the migration to the new smart contract system. “NFTs were stolen from 32 users in a relatively short period of time. It’s a major setback, but all evidence points to this being a targeted attack, not a system-wide issue,” Hollander said.