NFTs valued at over US$1.7 million have been stolen from OpenSea users
NFTs have been stolen from several OpenSea accounts in a recent hack. The scam is currently being investigated by the company, an NFT marketplace, which believes it was a phishing attack. OpenSea stated that the incident had ended after no malicious activity was reported for over 36 hours.
OpenSea believes that 17 users have been affected, with 32 users in total having interacted with the hacker. Devin Finzer, CEO of OpenSea, revealed that the hacker had US$1.7 million of Ethereum in their wallet from selling some of the stolen NFTs.
It appears the attack was made possible by the affected users signing a partial contract, though these were not broadcast to OpenSea. This partial contract was similar to a blank cheque, allowing the malicious actor to complete the agreement with their details to finalise the transaction.
It is unclear how the account owners partially signed these contracts. OpenSea said it was confident that the phishing attack did not originate on its platform. The company also clarified that actions including buying and listing items were not to blame. Having spoken to affected customers, OpenSea does not believe the scam was facilitated by malicious emails or users clicking on an onsite banner on its website.
The attack comes during a migration to a new version of the contract used for NFT trades, which will make it harder for these attacks to happen in the future. OpenSea does not believe the migration to or the new Wyvern 2.3 smart contracts themselves were vectors for the attack.
Interestingly, it has been reported that the hacker has already returned several of the stolen NFTs, with another victim receiving 50 Ethereum (~US$130,000) from the bad actor. OpenSea has pledged to continue investigating the attack, urging anyone affected to contact it via the support center.