OpenSea phishing scam robs users of over $1.7 million worth of NFTs, here are the details

21/02/2022
News, NFT

A phishing scam orchestrated OpenSea users has seen 32 of their NFTs stolen after signing them to a malicious smart contract. The attacker(s) took advantage of the fact that the marketplace is requesting its users to move their collectibles to a new smart contract.

On February 19, hundreds of non-fungible tokens (NFTs), worth at least 1.7 million, disappeared from the wallets of OpenSea users.

According to the platform’s co-founder and CEO, Devin Finzer , what happened was a phishing attack. A total of 32 users signed the attacker’s malicious payload between 5 and 8 p.m. on Saturday.

OpenSea is currently in the process of requiring its users to migrate their NFTs from the Ethereum blockchain to a new smart contract. The victims are said to have received emails from someone posing as the OpenSea team. Similar to OpenSea’s legitimate request, they were asked to migrate their Ethereum listings to a new smart contract – essentially giving ownership of their NFTs to the attacker.

I know you’re all worried. We’re running an all hands on deck investigation, but I want to take a minute to share the facts as I see them:
— Devin Finzer (dfinzer.eth) (@dfinzer) February 20, 2022

The attacker subsequently sold some of the NFTs for a profit. Strangely, the actor returned some NFTs to his rightful owners, along with 50 ETH to one of his victims. The latest reports show that the attacker now has $1.7 million worth of ETH from the sale of some NFTs. Also, he has 3 Bored Ape Yacht Club (BAYC) NFTs, 2 Cool Cats, 1 Doodle, and 1 Azuki.

Table of Contents

OpenSea: Phishing Scam, Not a Hack

The theft was initially assumed to be a breach in OpenSea’s code base, leading to the theft of $200 million, according to Twitter user Mr. Whale. However, Finzer dismissed these claims, saying that it was, in fact, a phishing scheme. His claim was, however, disputed by Twitter user Jacob King, who said that a flaw in the marketplace code had led to one of the biggest NFT exploits in history.

At the time, the executive noted that the OpenSea team had not yet determined the website that had been “misleading users into maliciously signing messages.” In another thread, he said the OpenSea team was actively working “with users whose items were stolen to narrow down a set of common websites they interacted with that could have been responsible for the malicious signatures.” Finzer also urged users not to click on any links outside of opensea.io.

With growth comes challenges

That malicious actors are targeting NFT markets is not surprising considering the tremendous growth and mania the sector has experienced in the past year. For example, OpenSea, the largest NFT marketplace to date, raised $300 million in its latest funding on January 4. The company is now valued at a whopping $13.3 billion.

With it have come phishing scams, such as the one suffered by several high-value BAYC holders. Hackers recently took advantage of a bug in OpenSea that allowed them to buy NFTs at deeply discounted prices for resale.