top of page
Kyle Chua

OpenSea Investigating Alleged Phishing Attack That Stole $1.7 Million in NFTs

OpenSea, a platform where users can buy, sell and display NFTs and other crypto-based digital assets, is now probing what it believes was a phishing attack on Saturday that stole an estimated value of US$1.7 million in NFTs. Blockchain security firm PeckShield said a total of 254 tokens were stolen in the attack.

Credit: Blockworks

“We don’t believe it’s connected to the OpenSea website,” said CEO Devin Finzer on Twitter. “It appears 32 users thus far have signed a malicious payload from an attacker, and some of their NFTs were stolen.”


The Verge notes that the attack likely exploited an aspect in the Wyvern Protocol, the decentralised standard that facilitates digital asset exchanges. Web3 platforms like OpenSea typically use this standard for the buying and selling of NFTs, and Finzer suggests the victims may have signed a partial agreement that allowed the attackers to transfer the tokens without any payment. Twitter user Neso backed up his claim, pointing out that all the transactions in question had the signatures of the victims.

Not much else is known about the attack yet, but Finzer emphasized that OpenSea was not a vector for it. The platform only recently had introduced a new contract system and asked users to start migrating their assets. However, it’s unlikely that this caused the attack because if there were any vulnerabilities in the new system, it would have been exploited to a greater scale, according to The Verge.


Finzer added that the platform’s listing systems and emails are also not to blame.

A number of the stolen NFTs have since been returned, and no other suspicious activity has been detected from the attacker’s account. Among the stolen NFTs include tokens from Bored Ape Yacht Club and Azuki collections.

 
  • OpenSea is now investigating an alleged phishing attack that stole hundreds of NFTs with a total estimated value of US$1.7 million.

  • Some of the stolen tokens have since been returned, and no other suspicious activity was detected from the attacker's account.

  • OpenSea CEO Devin Finzer said his platform was not a vector for the attack.

As technology advances and has a greater impact on our lives than ever before, being informed is the only way to keep up.  Through our product reviews and news articles, we want to be able to aid our readers in doing so. All of our reviews are carefully written, offer unique insights and critiques, and provide trustworthy recommendations. Our news stories are sourced from trustworthy sources, fact-checked by our team, and presented with the help of AI to make them easier to comprehend for our readers. If you notice any errors in our product reviews or news stories, please email us at editorial@tech360.tv.  Your input will be important in ensuring that our articles are accurate for all of our readers.

bottom of page