- Leading global NFT marketplace acknowledged an attack but denied that hackers stole $200 million worth of NFTs.
- OpenSea co-founder and CEO Devin Finzer confirmed the incident was a phishing attack, not a breach of its website.
- He said at least 32 users were tricked into clicking a malicious link, and the attacker had sold about $2.9 million worth of NFTs at the time of the update.
OpenSea, the world’s largest NFT marketplace, announced it is investigating a phishing attack that resulted in the theft of non-fungible tokens (NFTs) from user accounts.
Co-founder and CEO Devin Finzer confirmed the platform experienced an attack but emphasized it was not a platform-wide security breach; rather, the incident stemmed from phishing. According to Finzer, at least 32 users lost NFTs after being targeted by the attacker.
Finzer also said rumors that OpenSea had been hacked for $200 million were inaccurate.
“So far we can say this was a phishing attack. We do not believe this was related to the OpenSea website. It appears that 32 users have been harmed so far by a malicious link from the attacker, and some of their NFTs were stolen,” he said Saturday evening following reports of the incident.
Blockchain security firm PeckShield reached a similar conclusion, finding the theft resulted from a phishing campaign that targeted users’ email addresses. The firm noted the attack occurred “off the OpenSea website.”
The compromise happened when users “migrated” their NFT listings to a new smart contract, following instructions in what proved to be a phishing email from the attacker, the OpenSea team said in an announcement.
“Users approved the ‘migration’ as instructed in the phishing email, and the authorization unfortunately enabled the hacker to steal valuable NFTs…,” PeckShield explained.
Finzer said the attacker managed to sell some of the stolen NFTs for ETH, which at that time amounted to about $1.7 million.
An update from PeckShield, a blockchain security and data analytics firm, reported early Sunday that the scammer had laundered roughly 1,100 ETH, approximately $2.9 million at current rates.
The @opensea scammer just made use of @TornadoCash to wash 1,100 ETH…https://t.co/eQCopgqx43 pic.twitter.com/8KB6QxBC8P
— PeckShield Inc. (@peckshield) February 20, 2022
Among the NFTs traced to the attacker’s address were pieces from Bored Ape Yacht Club, Doodle, Cool Cats and Azuki.