This past weekend, many sources reported that a hacker or a gang of hackers had stolen millions of non-fungible tokens (NFT) from consumers of the biggest NFT marketplace, OpenSea. This sent the cryptocurrency and non-fungible token (NFT) communities into a frenzy.
Devin Finzer, co-founder and CEO of OpenSea, admitted that a phishing assault had taken place. According to him, rumors of a $200 million breach are unfounded, and he also claims that the attacker only had $1.7 million in ETH (Ethereum) in their wallet as a result of selling part of the stolen NFTs. He also stated that just 17 customers had lost their precious NFTs worth $1.7 million thus far, as opposed to the previous estimate of 32 people who were reported to have fallen for the phishing attack.
OpenSea investigating the attack
An updated tweet by OpenSea indicates that the company's team is currently looking into the assault, which has been seemingly inactive for more than 15 hours.
According to Devin Finzer, the attack originated from a third party and not from a security breach on OpenSea's main platform. Over the course of its investigation, the company has been talking to "dozens of people, teams, and projects across the NFT space" while also working with victims of the attack to narrow down where the attack may have originated from. He also confirmed that some of the stolen NFTs had been returned.
"The attack doesn't appear to be active at this point — we haven't seen any malicious activity from the attacker's account in 2 hours. Some of the NFTs have been returned."
How did the attack happen?
This attack on OpenSea occurred after the company announced on Friday its intention to provide an update to its smart contract to remove inactive listings. According to the announcement, users have until February 25th to move listings created before February 18th.
It seems that individuals in charge of the attack used the update mentioned above to deceive consumers into transferring their NFTs to their wallets using phishing emails that appeared to be legitimate. As the users approved the update via the phishing emails, their NFTs were handed over to a wallet belonging to the hacker.
The attacker appears to have taken advantage of users by convincing them to sign a falsified signature to approve a private sale of their NFT for 0 ETH to the attacker's wallet; however, at this time, OpenSea is not aware of the website that was used to trick users into maliciously signing messages.