A hacker carried out a phishing attack to steal potentially hundreds of NFTs from users of OpenSea, one of the largest NFT marketplaces on the internet, worth a total of $1.7 million on Saturday. Company officials on Sunday tried to reassure users that it was safe to mint, buy, list, and sell NFTs on OpenSea, although they maintained that an investigation was ongoing.
Over the weekend, OpenSea co-founder and CEO Devin Finzer said that the hacker had tricked 17 victims into signing a malicious payload that authorized the transfer of their NFTs to the attacker for free. While Finzer said the company was confident that this was a phishing attack, he explained that they didn’t know where the phishing had occurred. At the moment, the attack appears to have been carried out from outside OpenSea, according to the company.
The attack occurred during OpenSea’s migration to its new Wyvern smart contract system, which began on Friday and is set to be completed by Feb. 25.
In a Twitter post, the CEO ruled out OpenSea’s website as the origin point of the attack. He added that interacting with an email from OpenSea was not a vector for the attack and that none of the victims reported clicking on links from suspicious emails. Clicking on the site’s banner, signing the new Wyvern smart contract, and using OpenSea’s listing migration tool to move listings to the new Wyvern contract system were determined to be safe, as well.
“We’re actively working with users whose items were stolen to narrow down a set of common websites that they interacted with that might have been responsible for the malicious signatures,” Finzer said on Sunday. “We’ll keep you updated as we learn more about the exact nature of the phishing attack.”
The company’s chief technology officer, Nadav Hollander, also provided a technical rundown of the attack on Sunday. Hollander discarded the possibility that the attack was linked to the migration to the new Wyvern contract system. He said that the malicious orders had been signed by the victims before OpenSea carried out its migration and “are unlikely to be related to OpenSea’s migration flow.”
The incident, which occurred on Saturday over the course of a few hours, suggests this was a targeted attack.
“32 users had NFTs stolen over a relatively short time period. This is extremely unfortunate, but suggests a targeted attack as opposed to a systemic issue,” Hollander said.
Although the attack appears to have occurred outside OpenSea, Hollander added, the company was “actively helping affected users and discussing ways to provide them additional assistance.”
Update 2/21/2022, 10:07 p.m. ET: OpenSea on Monday narrowed the list of impacted users from 32 to 17 and said the attack did not appear to be active at this time.
“We’ve narrowed down the list of impacted individuals to 17, rather than the previously mentioned 32,” the company wrote on Twitter. “Our original count included anyone who had *interacted* with the attacker, rather than those who were victims of the phishing attack.”
OpenSea has not yet determined the exact source of the attack but maintained it was continuing to work around the clock to investigate.