Hundreds of non-fungible tokens (NFTs) have been stolen from the accounts of OpenSea users after a series of successful phishing attacks, it has emerged.
The NFT marketplace was alerted to the issue over the weekend when a handful of customers discovered tokens missing from their wallets. Word of the incident quickly spread, causing a stir in the NFT community.
In an attempt to calm the panic, OpenSea chief executive Devin Finzer took to Twitter (opens in new tab), explaining that the attacks were not the result of a security vulnerability in the platform, but rather a phishing campaign targeting NFT owners.
We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time. Thank you for taking part.
A list (opens in new tab) compiled by blockchain security company PeckShield suggests that more than 250 NFTs were stolen, including items from popular collections such as Bored Ape Yacht Club. Although some have since been recovered, wallet analysis shows the stolen tokens have earned the attacker roughly $1.7 million in sell-on value.
OpenSea NFTs stolen
NFTs are representations of digital properties such as images or videos, often described as digital collectibles. What makes them different from traditional collectibles (for example, Fortnite skins) is that each NFT has a distinct signature that demonstrates its uniqueness and allows for ownership of the associated asset to be verified and traced.
Once the playtoy of an enthusiast minority, NFTs now change hands for many millions of dollars over platforms like OpenSea, which is itself valued at $13 billion.
Inevitably, the valuations of the NFTs exchanged over OpenSea and the notoriety of the marketplace have attracted increased attention from hackers. In the last few months, the company has had to close off security bugs that allowed hackers to purchase NFTs for well below value and create malicious tokens that could drain the crypto wallets of victims.
Now, OpenSea is facing down another security issue, the details of which still remain murky.
“Our team has been working around the clock to investigate the specific details of this phishing attack,” explained OpenSea (opens in new tab) via its official Twitter account.
“We’ve narrowed down the list of impacted individuals to 17, rather than the previously mentioned 32. Our original count included anyone who had interacted with the attacker, rather than those who were victims of the phishing attack.”
However, the precise mechanism of the attack remains unclear. Early signs point towards a manipulation of the Wyvern Protocol on which most NFT smart contracts are built. According to a Twitter thread (opens in new tab) referenced by Finzer, the attacker tricked the victims into signing half of a Wyvern order, allowing for their NFTs to be transferred to a new wallet without payment.
Finzer says there is no evidence the affected users had been targeted via email, and the identity of the website used to facilitate the attack remains a mystery.
The advice for concerned OpenSea users is to “double check you are interacting with opensea.io in your browser when you sign messages” and to “un-approve access to your NFT collection” via Etherscan (opens in new tab).
TechRadar Pro has asked OpenSea whether it has plans to put in place measures to prevent users from falling victim to similar phishing scams in future.