The most well-known NFT sales platform reported a million dollar NFT theft and became the first cyberattack on this type of asset
Platform NFT (Non-fungible tokens), OpenSeajust fell victim to Phishing. According to the company, the most recognized in the world for selling NFTs, cybercriminals stole $1.7 million worth of tokens.
However, the figure may be even higher and reach 2.9 million, given that the attackers started selling the stolen tokens on the same platform. This would be the first reported incident in this type of asset.
OpenSea released a statement in which they comment that they are investigating a “phishing attack” which is believed to be no longer active at this time.
As initially described, there were 32 affected users, although this number was later reduced to 17 users.
In total, according to the security service PeckShielda total of 254 stolen NFTs were recorded, among which are several from Decentraland Yes Bored Ape Yacht Club.
Bored Monkey in NFT, part of the relevant collection
Pishing, the most common deception
It is a technique in which it is usually sent a fake emailand makes the user believe that it is an official action of the platform.
When you enter your details, attackers gain access to your account and can steal your NFTs.
According to the leaked captures, it would be a supposed email from OpenSea which would have asked to migrate the NFTs from the site, but OpenSea denies this route.
Nadav Hollander, CTO (“Chief Technology Officer”) of OpenSea, described aspects of the attack. Migration to the new system Wyvern 2.3 is at the heart of the matter, as this would have been the excuse used by cyber attackers.
The CTO of OpenSea He clarified that “no malicious actions related to this were performed, so they understand that the attack was carried out before the migration” and pointed out that “instead of taking advantage of a flaw in the Wyvern protocolIt was an attack on a chosen target“.
One of the most sought after creations
Devin Finzer, Open Sea CEOexplained that the tricked users signed a partial contract, with blanket permission and big white holes.
With this signing, the attackers completed the contract with a call to their own contract, which transferred ownership of the NFTs without making any payment.
In short, as described by the CEO of Deep seausers were tricked into signing a “blank check”.
The aspect that they have not yet confirmed is by what mechanism this deception was carried out by Phishing.