Users of the OpenSea NFT marketplace have been victimized by an exploit of some sort. Some users are reporting NFTs being stolen, and many crypto commentators are unsure what exactly is going on. The company issued a statement on Twitter suggesting that phishing emails might be the cause.
We are actively investigating rumors of an exploit associated with OpenSea related smart contracts. This appears to be a phishing attack originating outside of OpenSea's website. Do not click links outside of https://t.co/3qvMZjxmDB.— OpenSea (@opensea) February 20, 2022
OpenSea confirmed that the platform's smart contracts are the target of this attack, and it appears the attacker is using smart contract 0xa2c0946aD444DCCf990394C5cBe019a858A945bD to perpetrate this crime. According to Twitter user Jon_HQ, the smart contract is interacting with OpenSea's new exchange contract and then selling stolen NFTs to others to pull ethereum out. The thief's wallet currently holds over 640 ETH, amounting to $1.7 million. Jon_HQ strongly any users who interacted with the new OpenSea contract to revoke token approvals immediately.
Another prominent crypto Twitter user 0xfoobar believes the hacker is indeed taking advantage of a phishing attack launched several weeks ago, and is exploiting contracts right before all listings expire.
We now go to Dogecoin Cofounder Billy Markus for his take on the news:
anyhoo, i have no useful information or understanding of what is going on so i am a useless source of information, don’t listen to me— Shibetoshi Nakamoto (@BillyM2k) February 20, 2022
carry on panicking or doing nothing pic.twitter.com/AmTTtf9dbU
— Jom Cromor the Rum Thief (@JomCromor) February 17, 2022
This isn't the first time the crypto space has been victimized by theft and hacking, with Crypto.com getting hit just last month. Many investors are paying close attention to the NFT space, and tonight's problems at the world's largest NFT marketplace is cause for concern, but it is entirely possible that users clicked a bad link in a well-crafted phishing email. Either way, tonight's incident highlights the challenges cryptocurrency markets and NFT marketplaces face as new entrants like the NYSE and GameStop prepare to enter the fight.
Calling it now.— ℭ𝔶𝔭𝔥𝔯.Ξ𝔱𝔥 (@CyphrETH) February 20, 2022
The hacker used a standard phishing email copying the genuine #Opensea one sent out a few days ago, then got a number of people to sign permissions with WyvernExchange.
No exploit, just people not reading sign permissions as normal. pic.twitter.com/bQj5JCzp6B
The above tweet from CyphrETH appears to include a screenshot of the phishing email. It seems like some users may have accidentally signed a permission to the hackers.
This article is only meant for educational purposes, and should not be taken as investment advice. Please consider your own investment time horizon, risk tolerance, and consult with a financial advisor before acting on this information.
Asif Khan posted a new article, OpenSea NFT marketplace phishing exploit leads to theft from some user accounts
Maybe when they see my already-empty wallet they’ll leave me some ETH instead
"um, stolen? what do you mean? they changed hands via a legitimate transaction. it's all recorded on the blockchain, which is 100% secure and immutable and trustless. where did "stolen" come into it? hundreds of people simply decided to transfer their tokens simultaneously"