On Saturday, a hacker stole non-fungible tokens (NFT) worth more than $1.7 million from users from OpenSea, applying a phishing attack, which got him to steal 254 NFTs, including Decentraland and Bored Ape Yacht Club (BAYC) tokens.
The attacker fooled the targets into signing a partial contract which gave the attacker complete control, meaning signing a blank check for the targets.
OpenSea co-founder and CEO Devin Finzer stressed that OpenSea’s website was not the origin point of the attack, however, interacting with an email from OpenSea was not a vector for the attack and none of the victims reported clicking on links from suspicious emails.
He noted that “Clicking on the site’s banner, signing the new Wyvern smart contract, and using OpenSea’s listing migration tool to move listings to the new Wyvern contract system were determined to be safe, as well.”
“We’re actively working with users whose items were stolen to narrow down a set of common websites that they interacted with that might have been responsible for the malicious signatures,” Finzer said.
“We’ll keep you updated as we learn more about the exact nature of the phishing attack,” he added.
In addition, the company’s chief technology officer, Nadav Hollander, also provided a technical rundown of the attack on Sunday. Hollander removed the chance that the attack was linked to the relocation to the new Wyvern contract system.
He said that “the malicious orders had been signed by the victims before OpenSea carried out its migration and “are unlikely to be related to OpenSea’s migration flow.”
OpenSea became one of the most respected platforms in this industry since the NFT boom. It offers an open market for users to list, browse, and bid on NFTs, meanwhile the success that came lately brought with it some security risks.
It is worth mentioning that the company encountered vulnerabilities that let hackers steal from its users. The attack happened when OpenSea was transferring to the new Wyvern system.
“32 users had NFTs stolen over a relatively short time period. This is extremely unfortunate but suggests a targeted attack as opposed to a systemic issue,” Hollander said.