OpenSea Investigating Alleged Phishing Attack That Stole $1.7 Million in NFTs

OpenSea, a platform where users can buy, sell and display NFTs and other crypto-based digital assets, is now probing what it believes was a phishing attack on Saturday that stole an estimated value of US$1.7 million in NFTs. Blockchain security firm PeckShield said a total of 254 tokens were stolen in the attack.

Credit: Blockworks

“We don’t believe it’s connected to the OpenSea website,” said CEO Devin Finzer on Twitter. “It appears 32 users thus far have signed a malicious payload from an attacker, and some of their NFTs were stolen.”

The Verge notes that the attack likely exploited an aspect in the Wyvern Protocol, the decentralised standard that facilitates digital asset exchanges. Web3 platforms like OpenSea typically use this standard for the buying and selling of NFTs, and Finzer suggests the victims may have signed a partial agreement that allowed the attackers to transfer the tokens without any payment. Twitter user Neso backed up his claim, pointing out that all the transactions in question had the signatures of the victims.

Not much else is known about the attack yet, but Finzer emphasized that OpenSea was not a vector for it. The platform only recently had introduced a new contract system and asked users to start migrating their assets. However, it’s unlikely that this caused the attack because if there were any vulnerabilities in the new system, it would have been exploited to a greater scale, according to The Verge.

Finzer added that the platform’s listing systems and emails are also not to blame.

A number of the stolen NFTs have since been returned, and no other suspicious activity has been detected from the attacker’s account. Among the stolen NFTs include tokens from Bored Ape Yacht Club and Azuki collections.

  • OpenSea is now investigating an alleged phishing attack that stole hundreds of NFTs with a total estimated value of US$1.7 million.

  • Some of the stolen tokens have since been returned, and no other suspicious activity was detected from the attacker's account.

  • OpenSea CEO Devin Finzer said his platform was not a vector for the attack.