- World-leading NFT marketplace confirmed an attack but denied being hacked for $200 million worth of NFTs.
- OpenSea co-founder and CEO Devin Finzer said the incident was a phishing attack, not a compromise of the website.
- At least 32 users were tricked into clicking malicious links,and as of this update, attackers have sold about $2.9 million worth of NFTs, the company said.
OpenSea, the world’s largest NFT marketplace, confirmed it is investigating a phishing campaign in which attackers tricked users into surrendering control of non-fungible tokens (NFTs).
Co-founder and CEO Devin Finzer acknowledged the incident but emphasized it was not a breach of OpenSea’s platform. According to Finzer, the activity appears to be a targeted phishing operation, and at least 32 users have had NFTs taken from them after approving malicious transactions.
Finzer also rejected reports that the marketplace suffered a $200 million hack. “As far as we can tell, this is a phishing attack. It does not appear to be the result of OpenSea’s website being compromised. So far, 32 users have signed a malicious payload provided by the attacker and had some of their NFTs stolen,” he said after the attack was reported on Saturday night.
Blockchain security firm PeckShield reached a similar conclusion, finding that the theft stemmed from phishing directed at users’ email addresses and originated outside of OpenSea’s website. According to PeckShield, the exploit occurred when users followed instructions purporting to come from the OpenSea team and approved a “migration” of their NFT listings to a new smart contract.
“Users approved the migration following a phishing email, and that approval unfortunately allowed the hacker to steal valuable NFTs,” PeckShield explained.
Finzer added that some stolen NFTs were quickly sold for ETH, with initial on-chain activity showing roughly $1.7 million realized by the attacker. PeckShield’s updated data on Sunday morning indicated the fraudster had successfully laundered about 1,100 ETH, roughly $2.9 million at the time of reporting.
Among the NFTs traced to the attacker’s address were items from high-profile collections, including Bored Ape Yacht Club, Doodles, Cool Cats, and Azuki.
OpenSea and security researchers continue to monitor the situation and investigate the full scope of the phishing campaign. Users are advised to remain vigilant against suspicious emails, verify URLs carefully, and avoid approving unfamiliar transactions or contract interactions from unknown sources.