Hundreds of non-fungible tokens (NFTs) have been stolen from OpenSea user accounts after a series of successful phishing attacks.
The NFT market was alerted to the issue over the weekend when a handful of customers discovered that tokens were missing from their wallets. News of the incident spread quickly, causing a stir in the NFT community.
In an attempt to quell the panic, OpenSea CEO Devin Finzer took to Twitter, explaining that the attacks were not the result of a security breach in the platform, but rather a phishing campaign targeting NFT owners. .
A list compiled by blockchain security firm PeckShield suggests that more than 250 NFTs have been stolen, including items from popular collections like the Bored Ape Yacht Club. Although some have since been recovered, analysis of the wallet shows that the stolen tokens earned the attacker around €1.7 million in sales value.
Stolen OpenSea NFTs
NFTs are representations of digital properties, such as images or videos, often described as digital collectibles. What sets them apart from traditional collectibles (for example, Fortnite skins) is that each NFT has a distinct signature that proves its uniqueness and allows ownership of the associated asset to be verified and tracked.
Once the toy of a minority of enthusiasts, NFTs are now changing hands for millions of dollars on platforms like OpenSea, which is valued at €13bn.
Inevitably, the valuations of NFTs traded on OpenSea and the notoriety of the market have attracted the attention of hackers. In recent months, the company had to close down security bugs that allowed hackers to buy NFTs for much less than their value and create malicious tokens that could drain victims' crypto wallets.
Now OpenSea faces another security issue, the details of which are still unclear.
"Our team has been working tirelessly to investigate the specific details of this phishing attack," OpenSea explained through its official Twitter account.
“We have reduced the list of affected people to 17, down from the 32 mentioned above. Our initial count included anyone who interacted with the attacker, rather than those who fell victim to the phishing attack."
However, the precise mechanism of the attack remains unclear. Early signs point to manipulation of the Wyvern protocol on which most NFT smart contracts are built. According to a Twitter thread referenced by Finzer, the attacker tricked victims into signing half of a Wyvern order, allowing their NFTs to be transferred to a new wallet without payment.
Finzer says there is no evidence that the affected users were attacked via email, and the identity of the website used to facilitate the attack remains a mystery.
The advice for affected OpenSea users is to "verify that you are interacting with opensea.io in your browser when signing messages" and "disallow access to your NFT collection" via Etherscan.
TechRadar Pro asked OpenSea if it plans to implement measures to prevent users from falling victim to similar phishing scams in the future.