The largest non-fungible token marketplace OpenSea got hit by a phishing scam, with hackers stealing over a few hundred digital assets.
With the NFT community being plagued by malicious activity for the past couple of months, scammers are stealing digital assets by using some of the oldest tricks in the book which seem to be quite effective if done right.
The initial news came in on February 20th, with OpenSea publicly addressing the rumors on an exploit that targeted users of the NFT marketplace.
Did you know?
Want to get smarter & wealthier with crypto?
Subscribe - We publish new crypto explainer videos every week!
What is a Bitcoin & How Does it work? (Animated Explainer)
A few hours later, the CEO of OpenSea Devin Finzer confirmed that customers were indeed hit by a phishing attack. However, some rumors were floating around that $200M worth of NFTs were lost, but the CEO assured that, comparatively, the hacker’s address received only $1.7M in ETH from selling the NFTs.
The blockchain security company PeckShield confirmed the CEO’s statement, posting a spreadsheet of all the NFTs that were stolen that day. The exact amount was 254 digital assets, and, amongst them - some of the more expensive collectibles from the Bored Ape Yacht Club and the Mutant Ape Yacht Club.
Meanwhile, this left users baffled about how the phishing link managed to steal their digital assets. The Chief Technical Officer at OpenSea Nadav Hollander explained the whole situation in detail.
In a nutshell, the scammer placed malicious orders with valid user signatures from their accounts, but the orders were not recorded on OpenSea, meaning that the signatures were made on another site.
Likewise, a user familiar with the matter analyzed the attack in a more technical manner. According to him, users who pressed on the address partially signed the order, and the hacker signed the other half by using an exploit in the Wyvern Protocol, making the transfer to the scammer’s digital wallet.
The Twitter user even checked the transaction details and was certain that all the signatures were signed by the owners. Therefore, these users will most certainly not be reimbursed.
Shortly after, OpenSea posted a wall of tweets regarding the evidence of the phishing attack. The NFT marketplace assured that only 17 customers out of the suspected 32 were affected because not all of them signed the orders.
It seems that phishing scams have been on the rise across the digital asset industry. Earlier this month, Binance users were targeted by SMS phishing links, asking them to cancel unauthorized transactions.
In fact, the Intel 471 cybersecurity group warned users about an even more sophisticated phishing operation, involving text message bots, and financial service representative impersonations.
