Hackers Stole NFTs from OpenSea
Malicious actors took advantage of a smart contract upgrade process in the OpenSea NFT marketplace to carry out a phishing attack against 17 of its users that resulted in the theft of virtual assets worth about $1.7 million.
NFTs, short for non-fungible tokens, are digital tokens that act like certificates of authenticity for, and in some cases represent ownership of, assets that range from expensive illustrations to collectibles and physical goods.
The opportunistic social engineering scam swindled the users by using the same email from OpenSea notifying users about the upgrade, with the copycat email redirecting the victims to a lookalike webpage, prompting them to sign a seemingly legitimate transaction, only to steal all the NFTs in one go.
OpenSea’s “Wyvern” smart contract migration, which commenced on February 18 over a seven-day period until February 25 at 2:00 PM ET, is part of the New York City-based firm’s efforts to address old, existing inactive listings on the Ethereum blockchain.
The company said it’s still investigating the exact source of the attack, noting that the malicious orders had been signed by the victims before OpenSea carried out its migration. “The attack does not appear to be active at this time. There has been no activity on the malicious contract in >15 hours,” OpenSea said in an update.
According to a spreadsheet compiled by blockchain security firm PeckShield, the malicious actor made off with 254 NFTs from the attack, including some Bored Ape Yacht Club NFTs. Although OpenSea estimates that around $1.7 million worth of NFTs was stolen, PeckShield’s list puts the cumulative worth at around $3 million. Meanwhile, Dune Analytics user Jelilat claims that the most NFTs stolen during the attack were 37 Azukis.
From all indications, it appears the phishing attack had nothing to do with the OpenSea platform. By authorizing “migration” as instructed in the phishing email, users were basically signing the transactions to steal their NFTs.
Users were directed to a fraudulent site through phishing emails. They then signed approvals with Wyvern Exchange that gave the attackers control over their NFTs.
Hackers Stole NFTs from OpenSea