OpenSea attacked with a phishing attack and hundreds of tokens worth more than 1.7 million dollars are lost

  • 5

OpenSea is the great reference in the world of NFTs. That has not prevented have been victims of a phishing attack and have managed to obtain hundreds of tokens, valued at more than 1.7 million dollars, according to has confirmed the CEO of the platform. A number that could exceed $2.9 million if you take into account that the attackers have started selling the stolen NFTs in OpenSea itself.

This is the first cyberattack on a large NFT platform. Some blockchain-based tokens whose popularity has skyrocketed in recent years, but which are not without problems. And one of them is precisely security.

NFTs worth millions of dollars obtained through phishing

As explained by OpenSea itself, which is sharing many details about what happened, a “phishing attack” is being investigated that would no longer be active at this time. As initially described, there were 32 affected users, although this number has since been reduced to 17 users.

Total, according to PeckShield security servicehave been counted a total of 254 NFTs stolen, including several from Decentraland and Bored Ape Yacht Club.

The attack has been made by phishing. It is a technique in which a false email is usually sent, making the user believe that it is an official action of the platform. When you enter your details, attackers gain access to your account and can steal your NFTs. According captured filteredit would have been a supposed mail from OpenSea that would have requested to migrate the site NFTs, but from OpenSea they deny that route.

Nadav Hollander, CTO (‘Chief Technology Officer’) of OpenSea, has explained various aspects of the attack. The migration to the new Wyvern 2.3 system is at the heart of the matter, as it would have been the excuse used by cyber attackers. But the CTO of OpenSea explains that no malicious action related to it was executed, so they understand that the attack was carried out before the migration and that instead of taking advantage of a flaw in the Wyvern protocol, it was an attack against a chosen target.

Many NFTs are built on a house of cards: if the web server goes down, the tokens break

Devin Finzer, CEO of OpenSea, has also detailed the happened. First of all, the deceived users signed a partial contract, with a general authorization and large blank spaces. With that signature, the attackers completed the contract with a call to their own contract, which transferred ownership of the NFTs without making any payment. In summary, as described by the CEO of OpenSea, users were tricked into signing a “blank check”. The aspect that they have not confirmed yet is through which mechanism this phishing scam was carried out.

Because one of the strengths of NFTs is their traceabilityit is possible to access the Attacker’s Wallet. To warn of this problem, OpenSea has added a warning message indicating that these NFTs were obtained in a phishing attack. Rarely has a thief been able to be followed in such detail.

In Xataka | Most NFTs are not worth a dime (at least for now): science says so

OpenSea is the great reference in the world of NFTs. That has not prevented have been victims of a phishing…

OpenSea is the great reference in the world of NFTs. That has not prevented have been victims of a phishing…

Leave a Reply

Your email address will not be published.