The world’s leading NFT marketplace, OpenSea was hit by a phishing attack, putting its listed NFTs at risk. The attack comes hours after the platform announced a smart contract upgrade. It had planned the upgrade to delist inactive NFTs on the platform. Soon after, hackers took advantage of the announcement to target the would-be-delisted NFTs.
“As far as we can tell, this is a phishing attack,” tweeted OpenSea co-founder and CEO Devin Finzer. “We don’t believe it’s connected to the OpenSea website. It appears 32 users thus far have signed a malicious payload from an attacker, and some of their NFTs were stolen.”
OpenSea Phishing Attack: What happened?
According to Finzer, the hacker stole $1.7 million worth of NFTs from at least 32 users. This includes top NFTs such as Cool Cats and Doodles. Interestingly, the attacker even returned some of the NFTs. As Crypto Twitter flooded with tweets relating to the OpenSea phishing attack, OpenSea announced that the company is “actively investigating rumours of an exploit associated with OpenSea related smart contracts.”
Since then, several theories have emerged as to what may have happened. According to Twitter user isotile, the hacker uploaded a new smart contract 28 days ago. The perpetrator then allegedly started sending emails with links to phishing websites. Basically, these websites asked users to sign a message to log in or migrate to the new OpenSea smart contract. But, in reality, the signature authenticated a private sale of the users’ NFTs to the hacker.
“Today he executes the smart contract function to steal the NFTs before their listings expire,” they further wrote. “He can do that because he has your signatures stored on his server.”
While OpenSea investigates the phishing attack, users can revoke access to their NFTs via Etherscan to ensure they remain safe. Here are the steps as shared by @SimplifiedWeb3 :
- Go to https://etherscan.io/tokenapprovalchecker
- Under Ethereum Token Approval, click ‘Connect to Web3’ and connect your wallet
- Click revoke next to any connection you want to remove.