OpenSea’s phishing attack: What you need to know

Over the weekend, the NFT community was set ablaze following reports that NFT marketplace OpenSea was hit by a major phishing attack. While earlier reports claimed that the attacker carted away with over $200 million, OpenSea has stepped forward to clarify that only 17 users were affected and the net losses of victims are estimated at around $1.7 million.

The latest attack coincided with OpenSea’s recent smart contract upgrade. On Friday, the leading NFT marketplace announced that it was launching a new upgraded smart contract, requiring users to migrate their listings before February 25.

The hacker, however, capitalized on the said upgrade to trick users into migrating their NFTs to his own wallet through legit-looking phishing emails.

According to a spreadsheet compiled by blockchain security firm PeckShield, the malicious actor made off with 254 NFTs from the attack, including some Bored Ape Yacht Club NFTs. Although OpenSea estimates that around $1.7 million worth of NFTs was stolen, PeckShield’s list puts the cumulative worth at around $3 million. Meanwhile, Dune Analytics user Jelilat claimsthat the most NFTs stolen during the attack were 37 Azukis.

From all indications, it appears the phishing attack had nothing to do with the OpenSea platform. By authorizing “migration” as instructed in the phishing email, users were basically signing the transactions to steal their NFTs.

Users were directed to a fraudulent site through phishing emails. They then signed approvals with Wyvern Exchange that gave the attacker control over their NFTs. The OpenDAO explained in a post:

The attacker appears to have exploited users by having them sign a fraudulent signature to approve a private sale of [their] NFT at 0 ETH to the attacker’s wallet. Unfortunately, nobody ever reads what they signed.

Check our guide of the most promising crypto