World’s largest NFT marketplace hacked: About $2 million worth of NFTs stolen in OpenSea phishing hack
Daniel Levi
Posted On February 20, 2022
In just two years later, Non-fungible tokens (NFTs) have grown from under $100 million in 2020 to surpass $40 billion in 2021. The NFT market cap is now forecast to reach over $80 billion by 2025. However, as NFT popularity soars, so is the number of hacking incidents. Just last month, $2.2 million worth of Bored Ape Yacht Club NFTs were hacked.
On Saturday, the world’s first and the largest NFT marketplace, OpenSea, confirmed that it has been hit by a phishing attack and at least 32 users had lost their valuable NFTs worth $1.7 million, company’s CEO Devin Finzer confirmed the phishing attack late Saturday night.
Finzer announced that the company is investigating a “phishing attack” that no longer appears to be active. He also confirmed that 32 users have lost NFTs so far and the attacker “has $1.7 million of ETH (Ethereum) in his wallet from selling some of the stolen NFTs.
In a series of tweets on Saturday, Finzer said the hacker “has $1.7 million of ETH in his wallet from selling some of the stolen NFTs” but dispelled rumors that the hack was worth $200 million. He also added that some of the stolen NFTs have been returned.
“I know you’re all worried. We’re running an all-hands-on-deck investigation, but I want to take a minute to share the facts as I see them,” Finzer said in a tweet.
Finzer added, “As far as we can tell, this is a phishing attack. We don’t believe it’s connected to the OpenSea website. It appears 32 users thus far have signed a malicious payload from an attacker, and some of their NFTs were stolen.”
As far as we can tell, this is a phishing attack. We don’t believe it’s connected to the OpenSea website. It appears 32 users thus far have signed a malicious payload from an attacker, and some of their NFTs were stolen.
— Devin Finzer (dfinzer.eth) (@dfinzer) February 20, 2022
However, a separate report from a decentralized metaverse firm Isotile tells a different story. The phishing hack took place 28 days when a hacker uploaded a new smart contract onto the Opensea NFT marketplace platform. The hacker started sending emails with phishing websites, which asked users to sign a message to login/migrate to the new Opensea smart contract.
However, instead of the users actually logging into the Opeasea marketplace, they were signing a private sale (0 eth) of users’ NFTs to the hacker.
https://twitter.com/isotile/status/1495234655154577408
https://twitter.com/isotile/status/1495234649970421760
We will continue to monitor this story and keep you updated as soon as we have new information
