The world’s largest non-fungible token (NFT) marketplace, OpenSea, was hacked. Users were asked to convert their NFTs from the Ethereum (ETH) blockchain to a new contract as part of an upgrade announced by OpenSea last week. The hack occurred shortly after OpenSea released the upgrade.
Following the announcement users started getting phishing emails that authorized “migration”. Hackers began sending phishing emails to OpenSea NFT holders, claiming that the emails and the bogus website contained inside were gateways for users to get their NFTs listed on the new smart contract. The attack was split into two parts, according to CEO Devin Finzer. To begin, targets signed a part of a contract that had a broad authorisation and large sections that were left blank. After obtaining the signature, the attackers finalized the transaction by making a call to their contract, which effectively transferred ownership of the NFTs without payment. In essence, the victims of the attack signed a blank check, and the attackers then filled in the rest of the check to steal their assets. The attack targeted a number of NFTs on OpenSea, including several from well-known collections like Bored Ape Yacht Club and Mutant Ape Yacht Club.
The attacks did not originate from OpenSea’s website, its numerous listing systems, or any emails sent by the company, according to CEO Devin Finzer. The attack’s rapidity – hundreds of transactions in a matter of hours — suggests a common attack vector, but no link has been found so far. After selling part of the NFTs, the attacker’s wallet included more than 600 Ethereum, which was worth around $1.7 million in stolen NFTs, according to Finzer.
The phishing attempt on the NFT marketplace happened at the same time that the UK tax office seized three NFTs as part of a probe into a 1.4 million pound (almost $1.9 million) fraud case.
While it’s unclear what will happen to the stolen NFTs from OpenSea customers, this massive phishing assault highlights the question of the crypto industry’s’safety,’ with new crypto scams popping up every day across the world.
