A phishing assault against collectors of NFTs who utilised OpenSea resulted in the theft of 254 tokens worth an estimated $1.7 million during a three-hour period.
When OpenSea learned on Saturday that smart contracts were linked to the non-fungible token market, they acted quickly. Upon further investigation, it was determined that users had been the victims of a standard phishing scam.
OpenSea clients received emails that seemed to be community updates urging them to convert their Etherium listings to a new smart contract. The phishing email took advantage of the fact that OpenSea had just released its own legal smart contract the day before.
It seems that the phishing attempt on OpenSea was not related to the OpenSea website itself and was carried out by a third party, according to CEO Devin Finzer on Twitter. Only 32 individuals seem to have been impacted by the email, which led to the victims turning over their NFTs to the attacker in exchange for a contract containing a harmful payload.
At least one explanation suggests the victims signed a Wyvern order, which is an open-source standard often used in NFT smart contracts, according to Finzer’s link to an explanatory thread. Only call data and a target of the attacker’s agreement were included in the order, which was signed by both parties.
As soon as both parties sign and double-sign the order, the attacker calls their own NFT transfer contract, which then begins the transfer procedure.
Some of the stolen NFTs have been returned, while others have been sold by the hacker. It was discovered that the attacker’s wallet contained Etherium worth $1.7 million, a long cry from the $200 million rumoured to exist.
The assault is currently being investigated by OpenSea, who are still trying to figure out precisely how it happened.