Nearly $2 million worth of NFTs stolen from OpenSea accounts
OpenSea says 32 users had NFTs stolen as part of a targeted phishing campaign that scammed them into signing malicious smart contracts
Over the weekend, a small number of users on OpenSea, a trading platform for non-fungible tokens, or NFTs, discovered that they’d been the target of a hack. Over a few hours on Saturday, a hacker shifted nearly $3 million worth of NFTs to their own wallet; lifted from 32 OpenSea users.
OpenSea thinks this was a phishing attack, although at the time it was investigating rumors of a bug in its smart contracts system, which is the system that pins ownership of individual NFTs to the blockchain.
Allegedly, it seems that the hacker patiently collected signatures through phishing emails, starting about a month ago. Instead of upgrading an OpenSea smart contract to the new version, the phish signs a private sale to the hacker. Then the hacker fills in the blank sections of the sale, transferring the stolen NFTs to their own wallet.
READ MORE: Are people already getting bored of NFTs?
In a long-winded Twitter thread, Devin Finzer, OpenSea’s co-founder and CEO explains details surrounding the hack:
It’s worth pointing out that the phishing attack may have not come from an email. Some of the affected users say they never clicked on any email links, and even showed a video of them scrolling through their inbox.
That’s the current state of investigations into the hack, with OpenSea still continuing its own root cause investigation.
If you’re an OpenSea user and are worried about your holdings, it’s best to play it safe. Revoke all token approvals for any OpenSea smart contracts. That’s probably the smart play here, as the exploit the hacker used is expiring later this week.
- OpenSea says its free NFT minting is mostly used to make fakes
- Nike is coming for StockX over its sneaker NFTs
- GameStop is launching an OpenSea-like NFT marketplace for gamers
- Kanye West really wants people to stop asking him about NFTs