NFT trading platform OpenSea reported that amid the migration of NFTs to a new smart contract, a hacker allegedly stole $1.7 million worth of Ethereum and NFTs.
The OpenSea marketplace said on Feb. 19 that it was investigating a series of Twitter messages posted by concerned platform users about an exploit on smart contracts on the OpenSea platform.
“We are actively investigating rumors of an exploit related to OpenSea smart contracts. This appears to be a phishing attack originating outside of OpenSea. Do not follow the link outside of opensea.io.”
The founder and CEO of the platform, Devin Finzer, said on Twitter that “32 users followed the link and followed the instructions of the attackers, as a result they lost NFT.” He added that the company was “unaware of recent phishing emails sent to users” and suggested it was from a fraudulent website.
Finzer asked those affected to contact the company and added: “If you are concerned and want to protect yourself, you can block access to your NFT collection.”
The phishing attack on the site was provoked by the OpenSea initiative, within which a smart contract was launched on February 18, designed to migrate user tokens to a new contract and gradually remove inactive users on the platform.
Cybersecurity company PeckShield explained that the exploit rumors were most likely phishing. Messages were sent to a malicious contract hidden in a disguised link. As one of the possible sources of the link, the company cited a mass mailing about the progress of the migration.
The alleged attacker’s address (marked with a fish/hack warning icon by analytics site Etherscan) contains about $1.7 million worth of ETH, as well as 3 NFTs from Bored Ape Yacht Club, 2 NFTs Cool Cats, 1 NFT Doodle and 1 NFT Azuki.
Chainalysis recently reported that as of the end of 2021, $11 billion worth of crypto assets are stored in wallets associated with illegal activities, of which $9.8 billion (93%) is stolen crypto assets.
In early February, hackers hacked into Dego Finance and took tokens from liquidity pools. The day before this hack, SlowMist, a blockchain security company, confirmed the fact of a hacker attack on the AToken multi-currency wallet.
