OpenSea Dismisses Rumors Of Exploit And Calls It Phishing Attack
One of the leading NFT marketplaces, OpenSea, has reportedly become a victim of phishing attacks, after users complain about stolen NFTs.
After several tweets from NFT traders that went viral, NFT marketplace OpenSea says it’s investigating “rumors of an exploit” regarding smart contracts connected to the platform.
? NFT EXPLOIT ? @opensea hack is BAD – This guy tornado'd into a fresh wallet 12/30, made a weird contract call on Jan 22nd to OpenSea's contract (etherscan down of course, so I can't investigate calldata…) — and now he's pulled 18 (and counting) batches of NFTs…. pic.twitter.com/gDIYiR8eG9
“We are actively investigating rumors of an exploit associated with OpenSea related smart contracts. This appears to be a phishing attack originating outside of OpenSea’s website. Do not click links outside of opensea.io.”
We are actively investigating rumors of an exploit associated with OpenSea related smart contracts. This appears to be a phishing attack originating outside of OpenSea's website. Do not click links outside of https://t.co/3qvMZjxmDB.
Around 10:50 p.m. ET, the Chief Executive of OpenSea Devin Finzer tweeted that “32 users thus far have signed a malicious payload from an attacker, and some of their NFTs were stolen.” He added that OpenSea is “not aware of any recent phishing emails that have been sent to users,” and that a fraudulent website could be the source of the problem.
As far as we can tell, this is a phishing attack. We don’t believe it’s connected to the OpenSea website. It appears 32 users thus far have signed a malicious payload from an attacker, and some of their NFTs were stolen.
OpenSea had planned to revise its smart contract (the code governing the trading platform) by releasing a new contract on Friday, which was intended to ensure that old and inactive listings on the platform would eventually expire.
Traders took it to Twitter to share what they’d initially thought were official OpenSea emails about the migration process from contract A to contract B.
PeckShield, a blockchain security company that audits smart contracts, said that the rumored exploit was “most likely phishing” – a malicious contract hidden in a disguised link. The company cited that same mass email about the migration process as one of the possible sources of the link.
The apparent attacker’s address (which the blockchain explorer website Etherscan has already slapped with a “phish/hack” warning badge) holds about $1.7 million worth of ETH, as well as three tokens from the Bored Ape Yacht Club, two Cool Cats, one Doodle and one Azuki.
