OpenSea says it is "actively investigating rumors of an exploit" that occurred on the popular Ethereum NFT marketplace Saturday. Users reported that digital assets, including NFTs from the Cool Cats and Doodle collections, had been stolen.
But co-founder and CEO Devin Finzer tweeted that the exploit likely didn't hit OpenSea at all—but instead targeted the people who rely on the marketplace to trade and maintain their digital assets.
"As far as we can tell, this is a phishing attack," he tweeted midway through the investigation. "We don’t believe it’s connected to the OpenSea website. It appears 32 users thus far have signed a malicious payload from an attacker, and some of their NFTs were stolen."
In other words, people may have received official-looking emails that tricked them into moving their NFTs into someone else's wallet. That address, which blockchain explorer EtherScan has labeled Fake_Phishing5169, now has a balance of 641 ETH worth over $1.7 million.
OpenSea Refunds $1.8M in Ethereum to Users Who Lost NFTs From 'Inactive Listing' Exploit
OpenSea has now reimbursed 750 Ethereum, about $1.8 million, to users who accidentally sold valuable NFTs at well below their going market rate through an exploit involving “inactive listings.” Recently, several users of the leading NFT› marketplace had complained that their blue chip NFTs, such as those belonging to the Bored Ape Yacht Club (BAYC) collection, had been purchased at old, cheap listing prices. These listings were never canceled on the blockchain, even though the user interface on...
If Finzer's thesis is correct, the attacker(s) picked an optimal time to go phishing. On Friday, OpenSea released a new smart contract and asked users to migrate their holdings. Ironically, the new smart contract came about to prevent a different type of exploit—one which saw holders unwittingly sell their assets at bargain-basement prices.
Finzer urged users to make sure they were always using the official opensea.io website and to be on the lookout for fishy emails.
