World’s leading NFT marketplace acknowledged an attack but denied it had been hacked for $200 million worth of NFTs.
OpenSea co-founder and CEO Devin Finzer confirmed this was a phishing attack and not a breach on its website.
He said that at least 32 users had been duped into clicking a malicious link.
Blockchain security firm PeckShield said the attacker managed to “wash” $2.9 million worth of NFTs at the time of this update.
OpenSea, the world’s largest NFT marketplace, has said its investigating a phishing attack that saw attacker(s) steal non-fungible tokens (NFTs) from users.
While the platform’s co-founder and CEO Devin Finzer confirmed there had been an attack, he said it was not a network-wide breach but a phishing attack. According to Finzer, at least 32 users had lost their NFTs to the attacker.
The OpenSea chief said that rumours of a $200 million hack on the leading NFT marketplace were false.
“As far as we can tell, this is a phishing attack. We don’t believe it’s connected to the OpenSea website. It appears 32 users thus far have signed a malicious payload from an attacker, and some of their NFTs were stolen,” he noted on Saturday night following reports of the attack.
Peckshield appeared to come to the same conclusion that the theft resulted from a phishing attack involving user email addresses. The attack originated “outside of OpenSea’s website,” the firm noted.
The “exploit” happened as users ‘migrated’ their NFT listings to a new smart contract as notified by the OpenSea team.
“Users authorize[d] the “migration” as instructed in the phishing email and the authorization unfortunately allows the hacker to steal the valuable NFTs…,” Peckshied explained.
Finzer said that the attacker had managed to sell some of the stolen NFTs for ETH, amounting to about $1.7 million at the time.
An update from blockchain security and data analytics firm Peckshield on Sunday morning showed the scammer had managed to wash about 1,100 ETH, amounting to roughly $2.9 million.
— PeckShield Inc. (@peckshield) February 20, 2022
Among the stolen NFTs traced to the attacker’s address were pieces from Bored Ape Yacht Club, Doodle, Cool Cats, and Azuki.