Devin Finser, Co-founder and CEO of non-fungible token (NFT) marketplace OpenSea, confirmed via Twitter the phishing attack that happened to its users last February 19. Phishing refers to a type of social engineering attack often used to steal user data.
According to him, the attacker exploited the flexibility of their decentralized exchange protocol (Wyver Protocol) and stole 254 NFTs that cost $1.7 million in a span of three hours.
“As far as we can tell, this is a phishing attack. We don’t believe it’s connected to the OpenSea website. It appears 32 users thus far have signed a malicious payload from an attacker, and some of their NFTs were stolen,” Finser tweeted.
Regrettably, the initial report of 32 affected users were later reconfirmed to 17; 15 of the initial count had interacted with the attacker but not lost tokens as a result.
According to a spreadsheet compiled by the blockchain security service PeckShield, the attacked stolen assets includes high-valued NFTs from Bored Ape Yacht Club, Azuki, Doodles, and CloneX.
Finser explained the attack in two parts: first, the victims signed a partial contract with a general authorization and large portions left blank. The attackers will then complete the contract with a call to their own, which transfers ownership of the NFTs without payment. In simpler terms, the victims likely signed a blank check then the attackers filled in the rest to take their assets.
“The attack no longer seems to be active, but we are continuing to monitor. We have not seen activity from the attacker’s wallet in >36 hours.”-OpenSea
Finzer also shared that some of the stolen NFTs have been returned and assured that the company is conducting an in-depth investigation into the incident.
OpenSea is currently the largest NFT marketplace in the world with its value currently around $13.3 billion as of January 2022. According to DappRadar, the daily trading activity on OpenSea is between $100M to $200M, with $3.68 billion worth of NFT transactions occurring in only the past 30 days.
Last September, OpenSea was involved in another fiasco when an employee used insider knowledge from working at the company to purchase NFTs that were about to be posted to the popular trading site’s homepage. Flipping the upcoming homepage NFTs, which would likely go up in price, earned the employee thousands of dollars. (Read more: OpenSea Employee Out After Insider NFT Flipping Allegations)
This article is published on BitPinas: Phishing Attack on OpenSea Users Steals $1.7 million in NFTs