Top non-fungible token (NFT) marketplace OpenSea says a phishing attack is likely behind the exploit that left a small number of users unable to access their NFTs.
Earlier this month, OpenSea announced that it would be upgrading the smart contract it uses to help address the inactive listing issues it was experiencing on Ethereum (ETH).
The update involves the migration of NFT listings to the new Wyvern smart contract. According to the announcement, listings that have not been migrated by February 25th will expire.
Blockchain security and data analytics firm PeckShield says bad actors jumped at the opportunity and may have launched a phishing scam that allowed them to steal millions of dollars worth of NFTs.
CEO of OpenSea Devin Finzer confirms the attack, saying that 32 users were affected and that some of the stolen NFTs have been returned.
“As far as we can tell, this is a phishing attack. We don’t believe it’s connected to the OpenSea website. It appears 32 users thus far have signed a malicious payload from an attacker, and some of their NFTs were stolen.
The attack doesn’t appear to be active at this point – we haven’t seen any malicious activity from the attacker’s account in 2 hours. Some of the NFTs have been returned.
Importantly, rumors that this was a $200 million hack are false. The attacker has $1.7 million of ETH in his wallet from selling some of the stolen NFTs.”
OpenSea itself is issuing an update on Twitter, saying that the incident is isolated and only “a small number of people” were affected. The NFT marketplace also says the scam does not appear to be email-based, suggesting that the malicious link spread in a different way without using email.
OpenSea also highlights that the migration tool is safe to use.
Don't Miss a Beat – Subscribe to get email alerts delivered directly to your inboxFeatured Image: Shutterstock/Zapp2Photo