Reportedly, an attacker got away with NFTs worth at least 1.7 million USD after a targeted phishing attack against OpenSea users.
Our leadership, engineering, and security teams are communicating with affected users to gather details. We continue to believe that this is a phishing attack that originated outside of https://t.co/3qvMZjxmDB. ↯
— OpenSea (@opensea) February 20, 2022
32 users got their NFTs stolen
According to first reports, the attack was meticulously planned and initiated 28 days in advance, as the attacker deployed a malicious smart contract on the Ethereum blockchain. Yesterday, the attacker started sending out phishing emails that tricked OpenSea users into signing the contract, which gave him permission to transfer all NFTs contained within the signing wallet.
Purposefully, the attack coincided with a planned smart contract upgrade by OpenSea that requires NFT sellers to migrate their listings. Via Twitter, the marketplace has stated that their migration contracts are safe to use, but advises users to always check the website’s URL before signing any transactions.
OpenSea CEO Devin Finzer has confirmed that 32 users were affected and that the attack seems to have subsided by now. He also stated that the NFTs were partially returned to their owners, but the attacker gained 1.7 million USD from selling some of the pieces.
Unequal compensation for exploited victims
On their support page, the marketplace states that the migration is part of a security update that would cancel inactive listings. This became necessary after an exploit was uncovered in the last month, which allowed the attacker to purchase NFTs at an inactive listing price, which amounted to only a fraction of the pieces’ market value.
According to Vice Magazine, some users complain about unequal treatment by the marketplace, although the marketplace promised that affected users would be reimbursed. While most say that they have either not been refunded at all, or only offered a 2.5% refund, others claim that they have been refunded completely. In an email to Vice, OpenSea stated:
We don’t comment on specific customer support scenarios. We have taken the inactive listings issue seriously and given generous reimbursements to users who were impacted.
Although it is debatable to what degree OpenSea is at fault for the exploit, this will likely further grow the number of users that are dissatisfied with the marketplace. In January, the marketplace imposed strict minting limits, only to revise the decision after immense pressure from the community.
Also, this was not the first time that technical issues caused OpenSea users to lose their NFTs. In September 2021, a bug destroyed 42 pieces with a combined value of over 100,000 USD by accidentally sending them to a burn address.
