- A hacker stole hundreds of NFTs from OpenSea users last night.
- While a post-mortem report has not yet been published, OpenSea team has claimed that the hacker executed a phishing attack to steal the NFTs.
- The incident is yet another reminder of the risks of self-custody in Web3.
Share this article
The hacker stole hundreds of high-value NFTs from sought-after collections like Bored Ape Yacht Club, Azuki, and NFT Worlds.
OpenSea Users Targeted in NFT Hack
A hacker stole millions of dollars worth of NFTs from OpenSea users last night.
The attacker targeted an estimated 32 collectors on the top NFT marketplace and drained their Ethereum wallets. On-chain data posted by Peckshield shows that they stole over 250 pieces from high-value collections like Bored Ape Yacht Club, Doodles, Azuki, and NFT Worlds. Based on the floor prices for the collections, Crypto Briefing estimated the total haul to be worth over 1,000 Ethereum, or $3 million. The attacker’s wallet currently contains 641 Ethereum worth around $1.7 million, as well as a selection of the stolen NFTs.
News of the attack first surfaced on Twitter late Saturday when users reported suspicious activity tied to their accounts. It was initially rumored that the exploit was linked to a smart contract that OpenSea users have been migrating their NFTs to over recent weeks. However, OpenSea pointed to a likely phishing attack.
We are actively investigating rumors of an exploit associated with OpenSea related smart contracts. This appears to be a phishing attack originating outside of OpenSea’s website. Do not click links outside of https://t.co/3qvMZjxmDB.
— OpenSea (@opensea) February 20, 2022
The team took to Twitter early Sunday to announce that it was “actively investigating” the rumors and that “a phishing attack outside of OpenSea’s website” was the probable cause. OpenSea CEO Devin Finzer said that the team was “running an all hands on deck investigation” and that the 32 affected users had suffered from a phishing attack. Earlier this morning, Finzer reiterated his belief that it was a phishing attack. “We have confidence that this was a phishing attack,” he wrote. The security analytics firm PeckShield also investigated the incident and shared the view that a phishing scam was likely the root cause.
NFT Hack Exposes Web3 Risks
Though a full post-mortem analysis is yet to be published, the Ethereum users foobar and isotile posted tweet storms detailing the attacker’s probable moves. On-chain data shows that they deployed a smart contract on Jan. 22 that used a call to OpenSea’s contract. It’s thought that they tricked users into signing a transaction that transferred their NFTs to the hacker’s wallet, likely by sending out an email that replicated the ones OpenSea sends out. Once they had duped a sufficient number of NFT collectors into signing the malicious transaction, they executed the attack to drain their wallets. While a phishing attack is still yet to be confirmed, the incident exposes the risks of using Web3, where signing any malicious Ethereum transaction can have disastrous consequences.
In recent months, many Bored Ape Yacht Club holders have lost their high-value NFTs in similar attacks after signing away their assets. As NFTs have attracted mainstream interest and their prices have soared, hackers have increasingly turned to the space to target collectors. Most of the affected OpenSea users have fallen victim to phishing attacks that tricked them into signing malicious contracts. For all of the benefits of self-custody wallets and decentralization, such attacks raise questions about whether crypto and NFTs are truly ready for mass adoption. Even when crypto holders use a hardware wallet to store their assets, they are not necessarily protected against smart contract scams. For collectors, NFT hacks like this one are a reminder of the importance of taking caution at all times in Web3, especially when it comes to checking emails and signing transactions.
Disclosure: At the time of writing, the author of this feature owned ETH and several other cryptocurrencies.