OpenSea marketplace is investigating a “phishing attack” that has left more than two dozen of its users without access to some of its most valuable digital tokens. Late Saturday night, panic hit the platform as someone stole hundreds of NFTs.
Over several hours that afternoon, the attacker targeted 32 accounts and obtained 254 tokens, according to a compiled by the PeckShield Blockchain security service. Among the stolen NFTs are tokens from the and collections. An estimate by the creator of calculated the price at 641 Ethereum (approximately $1.7 million at press time).
“We are confident this was a phishing attack” the co-founder and CEO of OpenSea, in a posted on Sunday morning. “We don’t know where the phishing took place, but we were able to rule out a number of things based on our conversations with the 32 affected users.”
According to Finzer, OpenSea determined that its website was not a vector for the attack, nor did anyone exploit a previously unknown vulnerability in the platform’s NFT minting, buying, selling, and listing capabilities. “Interaction with an OpenSea email is not an attack vector,” Finzer said. “In fact, we are not aware of any affected users receiving or clicking links in suspicious emails.”
We’ve contacted OpenSea for comment.
As noted by the attack likely took advantage of an aspect of . Many Web3 platforms, including OpenSea, use the open source standard to underpin their contracts. One suggests that the targets of the phishing campaign may have signed a partial agreement that allowed the attacker to transfer the NFTs without Ethereum changing hands. Finzer said he presented a scenario that was “consistent with our current internal understanding” of the situation.
While there’s still a lot about the attack that we don’t know, what’s clear is that it couldn’t have come at a worse time for OpenSea. On Friday, the company presented a and asked people to migrate their assets. It has also been the subject of recent controversy, starting with an employee who resigned to profit from NFT drops, and more recently over the prevalence of fake, plagiarized or spammed tokens on their platform.
All products recommended by Ploonge are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.