OpenSea is investigating an NFT phishing attack that caused more than two dozen service users to lose access to some of their most valuable NFTs.
According to Engadget , the incident reported late on February 19 said that the attacker targeted 32 accounts and obtained 254 NFTs. Among the stolen NFTs were NFTs from the Bored Ape Yacht yacht club and the Azuki collection. An estimate by Molly White puts the amount hacked from the stolen NFTs at around 641 Ethereum, or about $1.7 million.
“We believe this is a phishing attack. We don’t know where the scam happened, but we can rule out a few things based on our conversations with the 32 affected users,” OpenSea co-founder and CEO Devin Finzer said after the call. attack occurs.
Finzer said OpenSea determined its website was not an intermediary for the attack, nor did anyone exploit an unknown vulnerability related to the NFT on the platform. this. According to Finzer, interacting with OpenSea emails is not a means of attack as none of those affected have reported receiving or clicking on links related to suspicious emails.
The report from Theverge said that the attack could have leveraged an aspect of the Wyvern Protocol – the open source standard that underpins most NFT smart contracts, including those executed on top of the NFTs. OpenSea. A Twitter thread suggests that those targeted in the phishing campaign may have signed a partial agreement that would have allowed an attacker to transfer NFTs without needing any Ethereum for execution.
The attack is yet to be identified but it happened at a sensitive time for OpenSea, just a day after OpenSea introduced a “new smart contract” and required users to move their assets. It has also been the subject of recent controversy from a former OpenSea employee showing the prevalence of fake, copied, or spam NFTs on the platform.