The NFTs of many people who use OpenSea were taken from their Ethereum wallets last night. OpenSea says that a phishing attack is most likely to blame, even though there have been rumours of an exploit.
Many high-value NFTs were stolen from collections like Bored Ape Yacht Club and Azuki by the hacker.
OpenSea Users Targeted in NFT Hack
Users of the OpenSea service were hacked last night and had millions of dollars worth of NFTs stolen from them.
The attacker went after 32 collectors on the top NFT market and drained their Ethereum wallets. It looks like Peckshield stole over 250 pieces from high-value collections like Bored Ape Yacht Club, Doodles, Azuki, and NFT Worlds. It’s worth more than 1,000 Ethereum, or $3 million, based on the prices of the collections. The attacker’s wallet has 641 Ethereum worth about $1.7 million, as well as some of the stolen NFTs.
When people saw suspicious activity on their Twitter accounts at night, the news of the attack first came out on the site. It was thought at first that the exploit was linked to a smart contract that people who use OpenSea have been moving their NFTs to over the last few weeks. However, OpenSea said that a phishing attack is very likely.
We are actively investigating rumors of an exploit associated with OpenSea related smart contracts. This appears to be a phishing attack originating outside of OpenSea's website. Do not click links outside of https://t.co/3qvMZjxmDB.
— OpenSea (@opensea) February 20, 2022
Tweeted Sunday morning that they were looking into the rumours and that “a phishing attack outside of OpenSea’s website” was the most likely reason for them. An investigation is taking place with “all hands on deck.” The CEO of OpenSea, Devin Finzer, said that 32 people had been phished. Finzer said this morning that he still thinks it was a phishing attack. “We are sure that this was a phishing attack,” he said in his email. It was also looked into by the security analytics firm PeckShield. They thought phishing scams were the most likely cause of it.
NFT Hack Exposes Web3 Risks
Even though a full post-mortem analysis hasn’t been done, the Ethereum users foobar and isotile sent out tweet storms about the attacker’s likely moves. When they made a smart contract, they used a call to openSEA’s smart contract on Jan. 22. They may have sent out an email that looked just like the one OpenSea sends out to trick people into signing a transaction that sent their NFTs to a hacker’s account. As soon as they got enough NFT collectors to sign the malicious transaction, they used the attack to get their wallets drained of their money. The incident shows the dangers of using Web3, where anyone who signs a malicious Ethereum transaction could end up in trouble.
In the last few months, many Bored Ape Yacht Club members have had their high-value NFTs stolen in the same way after signing away their assets. As NFTs have become more popular and their prices have skyrocketed, hackers have increasingly turned to the space to find people who own them. Most of the people who have been affected by this have been tricked into signing bad contracts by phishing attacks. Even though there are many good things about self-custody wallets and decentralization, these kinds of attacks make people think about whether crypto and NFTs are ready for widespread use. Even if people who own crypto use a hardware wallet to store their money, they aren’t always safe from smart contract scams. For people who collect NFTs, hacks like this one are a reminder of how important it is to be careful in Web3, especially when it comes to checking emails and making transactions.
Disclaimer: These are the writer’s opinions and should not be considered investment advice. Readers should do their own research.