Tokens worth around $1.7 million have been stolen from OpenSea, a prominent NFT platform. It was around 5 & 8 p.m. ET on Saturday when OpenSea customers were fooled into part-signing smart contracts that allowed the transactions to take place.
Their non-fungible assets were subsequently transferred to their own address by completing the contractual procedure. NFT owners may have been tricked into signing a contract by “phishing,” according to OpenSea. This is when an official correspondence is made to appear like the actual thing.
The attack’s timing is critical given that, the marketplace revamped its contract system. It has been claimed that the OpenSeas’ new contracts triggered the assault. Although, this has been denied by the company. OpenSea is looking into the problem right now. There were a total of 32 victims in the attack.
I know you’re all worried. We’re running an all hands on deck investigation, but I want to take a minute to share the facts as I see them:
— Devin Finzer (dfinzer.eth) (@dfinzer) February 20, 2022
CEO Confirmed ” This is a phishing attack”
“As far as we can tell, this is a phishing attack. We don’t believe it’s connected to the OpenSea website. It appears 32 users thus far have signed a malicious payload from an attacker, and some of their NFTs were stolen,” OpenSea CEO Devin Finzer said in a series of tweets.
Late Sunday night, OpenSea stated that the hacker seemed to be dormant and that the last time it had been active was 15 hours earlier. Nadav Hollander, the OpenSea CTO, also provided a detailed breakdown of the phishing scam.
Emails pretending to be of a corporation are regularly used in phishing attempts because they include dangerous links. OpenSea customers may have fallen victim to this phishing email, although Hollander noted that “it looks the attack was planned outside OpenSea,” implying that they were targeted.
NFTs may be stored in e-wallets that hide the account owner’s identification, but the movements of digital products upon the blockchain network are typically transparent. It’s possible to track NFTs between wallet to wallet with a little technological in-between.
OpenSea has just released an updated smart contract last weekend. Client alerts from OpenSea were immediately resent by an attacker who immediately duplicated and returned their email. It was only those who clicked on the duplicate email’s link were taken to a copycat website.
NFTs that had been transferred from the previous contract into the new one were requested to sign a transfer that seemed to be valid. A method named atomicMatch_ was activated when the user clicked “Sign.” “This sort of approach is good at seizing all NFTS in one go,” Check Point Software said on Sunday.
Investors in cryptocurrencies or NFTs should be aware of phishing emails and resist checking out links given by unknown senders. Trust is pivotal so only travel through the websites you deem legit.