OpenSea users lose hundreds of NFTs in likely phishing attack
NFT marketplace OpenSea is investigating a “phishing attack” that has left more than two dozen of its users without access to some of their most valuable digital tokens. On late Saturday evening, panic hit the platform when someone stole hundreds of NFTs.
Over several hours that afternoon, the attacker targeted 32 accounts and obtained 254 tokens, according to a spreadsheet compiled by Blockchain security service PeckShield. Among the stolen NFTs are tokens from the Bored Ape Yacht Club and Azuki collections. One estimate by Molly White, the creator of the Web3 is Going Great blog, pegged the haul at 641 Ethereum (approximately $1.7 million at the time of this article).
“We have confidence that this was a phishing attack,” said Devin Finzer, the co-founder and CEO of OpenSea, in a tweet posted early Sunday morning. “We don’t know where the phishing occurred, but we’ve been able to rule out a number of things based on our conversations with the 32 affected users.”
According to Finzer, OpenSea determined its website was not a vector for the attack, nor did someone exploit a previously unknown vulnerability in the platform’s NFT minting, buying, selling and listing features. “Interaction with an OpenSea email is not a vector for attack,” said Finzer. “In fact, we are not aware of any of the affected users receiving or clicking links in suspicious emails.”