OpenSea, arguably the world’s largest NFT exchange, has been caught up in a massive breach, with the source of the attack confirmed to be a phishing attack.
The result is millions of dollars-worth of non-fungible goodies being stolen from the OpenSea exchange.
Our leadership, engineering, and security teams are communicating with affected users to gather details. We continue to believe that this is a phishing attack that originated outside of https://t.co/3qvMZjxmDB. ↯
— OpenSea (@opensea) February 20, 2022
Over the weekend, OpenSea co-founder and CEO Devin Finzer said that the hacker had tricked 32 victims into signing a malicious payload that authorised the transfer of their NFTs to the attacker for free. While Finzer said the company was confident that this was a phishing attack, he explained that they didn’t know where the phishing had occurred. At the moment, the attack appears to have been carried out from outside OpenSea, according to the company.
The attack occurred during OpenSea’s migration to its new Wyvern smart contract system, which began on Friday and is set to be completed by Feb. 25.
In a Twitter post, the CEO ruled out OpenSea’s website as the origin point of the attack. He added that interacting with an email from OpenSea was not a vector for the attack and that none of the victims reported clicking on links from suspicious emails. Clicking on the site’s banner, signing the new Wyvern smart contract, and using OpenSea’s listing migration tool to move listings to the new Wyvern contract system were determined to be safe, as well.
“We’re actively working with users whose items were stolen to narrow down a set of common websites that they interacted with that might have been responsible for the malicious signatures,” Finzer said on Sunday. “We’ll keep you updated as we learn more about the exact nature of the phishing attack.”
The company’s chief technology officer, Nadav Hollander, also provided a technical rundown of the attack on Sunday. Hollander discarded the possibility that the attack was linked to the migration to the new Wyvern contract system. He said that the malicious orders had been signed by the victims before OpenSea carried out its migration and “are unlikely to be related to OpenSea’s migration flow.”
The incident, which occurred on Saturday over the course of a few hours, suggests this was a targeted attack.
“32 users had NFTs stolen over a relatively short time period. This is extremely unfortunate, but suggests a targeted attack as opposed to a systemic issue,” Hollander said.
Although the attack appears to have occurred outside OpenSea, Hollander added, the company was “actively helping affected users and discussing ways to provide them additional assistance.”
Stolen NFTs included examples from the Bored Ape Yacht Club and Mutant Ape Yacht Club.
As reported by VICE, blockchain records show that the attacker was able to transfer numerous NFTs from different users to their address for free. The attacker has already sold some of the NFTs, for example, this NFT from the Azuki collection for 13.4 ETH ($US36,380). The attacker’s wallet currently contains more than 600 ETH (worth over $2 million).
OpenSea CTO Nadav Hollander took to Twitter to explain how we got here.
1) Sharing a technical run-down of the phishing attacks targeting @OpenSea users, including some web3 technical education.
👇— Nadav Hollander (@NadavAHollander) February 20, 2022
He said 32 users had NFTs stolen over a relatively short time period. But, that all of stolen NFTs in question were ‘signed’ before the platform was migrated.
“This is extremely unfortunate, but suggests a targeted attack as opposed to a systemic issue,” he wrote.
“This information, coupled with our discussions with impacted users and investigation by security experts, suggests a phishing operation that was executed ahead of the deprecation of the 2.2 contract given the impending invalidation of these collected malicious orders.”
1. This appears to be an isolated incident impacting a small number of people.
— OpenSea (@opensea) February 20, 2022
If you have specific information that could be useful, please DM @opensea_support.
— OpenSea (@opensea) February 20, 2022
VICE reports that there are indications that the hacker is giving some of their ill-gotten goods back. In one instance, the hacker stole numerous NFTs from one user including one valuable BAYC NFT. The hacker returned all the NFTs except the BAYC, which is currently frozen on OpenSea.
It’s not clear the total value of the NFTs stolen from OpenSea, with reports suggesting anywhere from $1.7 million to a whopping $200 million.
This article has been updated since it was first published and we’ll make further updates as we learn more.