OpenSea users lose NFTs worth $1.7M in likely phishing attack

Attackers stole hundreds of NFTs from users of NFT marketplace, OpenSea, causing a late-night panic among the website’s diverse user base.

A spreadsheet compiled by PeckShield, a blockchain security service, counted 254 NFTs stolen throughout the attack, including tokens from Bored Ape Yacht Club and Decentraland. The bulk of the attacks took place between 5 PM and 8 PM Eastern Time, targeting 32 users in total. Molly White, who runs the Web3 is Going Great blog, estimated the value of the stolen NFTs at 641 Ethereum (over $1.7 million).

Devin Finzer, the CEO of OpenSea, tweeted, saying they were confident that it was a phishing attack. However, they did not know where the phishing occurred but could rule out several things based on their conversations with the 32 affected users.

The attack seems to have exploited flexibility in the Wyvern Protocol, the open-source standard underlying most NFT smart contracts, including those made on OpenSea.

OpenSea, valued at $13 billion in a recent financing round, has become one of the most valuable firms of the NFT boom. The NFT marketplace provides a simple interface for users to browse, bid, and list NFTs without interacting directly with the blockchain. That success has come with substantial security issues, as the firm has struggled with attacks that have used poisoned tokens or old contracts to steal users’ valuable holdings.