A phishing attempt on users of OpenSea, the world’s largest NFT (non-fungible token) marketplace, resulted in NFTs worth millions of dollars being taken from their accounts. The organisation has been researching the assault since then, and according to the most recent update, it was a phishing attempt that started outside of the OpenSea website.
On Sunday, the attack targeted a number of NFTs on OpenSea, including several from well-known collections like Bored Ape Yacht Club and Mutant Ape Yacht Club. The targeted NFTs were those that were about to be delisted from the platform when it switched from the Ethereum blockchain to a new smart contract. This migration had a one-week timeframe set by the platform.
Because of the urgency of the changeover, hackers were able to conduct a phishing attack against NFT holders. They sent out phishing emails to OpenSea NFT holders, claiming that the emails and the phoney webpage contained therein were portals for users to get their NFTs listed on the new smart contract. Users’ NFTs were transferred to the attackers once they authorised the transition through the fraudulent email.
According to a report by The Vice, the attacker was able to move many NFTs to their own address using blockchain data. The attacker’s wallet had more than 600 Ethereum worth around $1.7 million in stolen NFTs after selling some of them.
Devin Finzer, co-founder and CEO of OpenSea, first recognised the incident in a tweet, stating that the company was in contact with all affected consumers. A total of 32 users were believed to have been victims of the phishing attack at the time. However, the company’s most recent upgrade cuts this number to 17 users.
Within the tweet, the corporation justifies the reduction in numbers. The earlier tally “included everyone who had interacted with the attacker,” according to the report, whereas the more recent count more properly depicts the accounts who were truly victims of the phishing attack.
According to OpenSea’s recent updates, the attack “does not appear to be active at this moment.” Its examination revealed that the malicious contract had been idle for over 15 hours.