Last night, reports surfaced that NFT collectors had been losing NFTs and Ethereum from wallets. OpenSea has now confirmed that what happened was a phishing attack, which saw over $1.7 million in assets shifted to the malicious wallet, now labeled Fake_Phishing5169.
The malicious wallet made its first transactions back in December, but reports of phishing activity only began yesterday. This wallet also has been engaging with another wallet that's been marked as a part of an OpenSea phishing scam.
In the past 24 hours, numerous NFTs from collections with high floor prices have been transferred, such as Bored Ape Yacht Club NFTs, Cool Cats, Doodles, and Azuki NFTs. The Fake_Phishing5169 address also had made transactions via rival NFT marketplaces Rarible and LooksRare.
A few hours after the news broke, OpenSea CEO Devin Finzer said: “We have confidence that this was a phishing attack. We don’t know where the phishing occurred.” But the company believes that the attack didn't come from OpenSea’s domain and that no legitimate OpenSea emails, nor the OpenSea site banner, led to the attack.
“Minting, buying, selling, or listing items using opensea.io is not a vector for the attack. In particular, signing the new smart contract (the Wyvern 2.3 contract) is not a vector for the attack,” said Finzer, also clarifying that OpenSea’s listing migration tool was not involved in the attack.
“We’re actively working with users whose items were stolen to narrow down a set of common websites that they interacted with that might have been responsible for the malicious signatures,” he added.
Finzer said that while there have been intermittent pauses in the attacker’s activity, OpenSea is continuing to investigate the situation. He also confirmed that a thread by Twitter user Neso is “consistent” with his understanding of what happened. Neso said those who lost assets signed half of a valid wyvern order, which is a decentralized exchange protocol that can execute asset transfers.
Seen confusion about the OS thing so.
Attacker had people sign half of a valid wyvern order, the order was basically empty except the target (attacker contract) and calldata, attacker signs other half of order.
— Neso (@Nesotual) February 20, 2022
Regardless of the source of the attack, some are confused by the transactions. For example, why did the phishing scammer send 50 Ethereum ($132,597) to naterivers.eth after taking some of his assets and then returning them? And why are some destination addresses hidden by the Tornado Cash proxy, but some aren't?
To prevent unwanted NFT and Ethereum token loss, it’s best to revoke access via Etherscan’s Token Approval feature and consider moving valuable assets to a hardware wallet.