Non-fungible token (NFT) marketplace OpenSea is investigating a phishing attack on Saturday that left 17 of its users without more than 250 NFTs, worth around $2 million.
NFTs represent data stored on a blockchain (Ethereum) that declares ownership of digital media files of artwork.
OpenSea is one of the world’s largest peer-to-peer NFT marketplaces (valued at $13.3 billion), which also enables trading rare digital items and crypto collectibles.
Phishing Attack
Researchers at IT security company Check Point said in a report on Monday that the threat actors knew about OpenSea upgrading its smart contract system to eliminate old and inactive listings on the platform and prepared for the migration with emails and websites of their own.
OpenSea informed its users that they had to update their listings between Feb. 18-25 in order to continue using the platform. To help users with this process, the platform sent all users emails with instructions on how to confirm the migration of the listings.
The hackers took advantage of this process and used their own email addresses to send out the message from OpenSea to validated users, deceiving them into thinking their original confirmation didn’t go through.
The link embedded into the fraudulent email directed victims to a phishing website, where they were prompted to sign a transaction, supposedly regarding the migration.
The transaction instead allowed the hackers to pass the NFT ownership to themselves.
According to Check Point, the hacker also executed a dry run on Jan. 21 to verify that the attack would work as intended.
OpenSea Uncompromised
OpenSea clarified that the attack didn’t exploit any vulnerabilities on the platform or its trading systems, but instead only relied on tricking users through phishing methods.
As a result, the platform advised users to remain cautious and avoid following any links that don’t belong to the opensea.io domain.
The phishing emails were also confirmed to originate from outside the platform, assuaging fears that the platform’s email distribution system had been compromised.
According to a tweet on Monday by OpenSea, the attack appears to have stopped, with the most recent transaction occurring on Sunday.