The world’s largest NFT (non-fungible token) marketplace, OpenSea on Sunday confirmed that it has been hit by a phishing attack and at least 32 users had lost their valuable NFTs worth $1.7 million (R25.6m).
OpenSea co-founder and chief executive Devin Finzer acknowledged the phishing attack, confirming that 32 users had lost NFTs so far.
He said rumours that this was a $200m hack are false and the attacker “has $1.7 million of ETH (Ethereum) in his wallet from selling some of the stolen NFTs.
While the NFT marketplace was yet to figure out the magnanimity of the cyberattack, blockchain investigator PeckShield said they suspect a possible leak of user information (including email IDs) that fuelled the phishing attack.
“We are actively investigating rumours of an exploit associated with OpenSea-related smart contracts. This appears to be a phishing attack originating outside of OpenSea’s website,” the NFT marketplace posted in a tweet.
The hack happened as OpenSea announced a new smart contract upgrade, with a one-week deadline to delist inactive NFTs on the platform.
The smart contract upgrade required users to migrate their listed NFTs from ETH blockchain to a new smart contract.
Within hours after OpenSea’s upgrade announcement, reports across multiple sources emerged about an ongoing attack that targets the soon-to-be-delisted NFTs.
“We don’t believe it’s connected to the OpenSea website. It appears 32 users so far have signed a malicious payload from an attacker, and some of their NFTs were stolen,” Finzer posted.
The OpenSea chief executive urged affected users to directly message him on Twitter.
The phishing attack on NFT marketplace occurred as the UK tax authority last week seized three NFTs, as part of a probe into a £1.4m (R28.7m) fraud case, the BBC reported last Monday.
The authority said it was the first UK law enforcement agency to seize an NFT.
Her Majesty’s Revenue and Customs also seized £5 000 worth of crypto assets, alongside three NFT artworks, which have yet to be valued.