The largest NFT exchange globally, OpenSeas, has evidently had what one can describe as a public relations nightmare over the course of the last twenty four hours. The company has been targeted by hackers, whom have successfully stolen a number of digital art pieces from users on the platform.
The story itself continues to develop, with mixed reports on what in particular actually happened. Initially there were numerous theories on what specifically was occurring, including an exploit in a new contract, an issue with X2Y2, or a sophisticated phishing scam assembled by the hackers. Over the last several hours, it appears that the latter is the theory being promoted by most within the NFT community.
Trouble for OpenSeas began on Saturday night, when NFT’s began to be stolen from users on the exchange. The thefts reportedly followed an email that users received, asking them to migrate their Ethereum listings to a new smart contract, free of gas fees (think service charges, but for crypto-related transactions). Once they clicked the link through the email however, they were redirected to a fake page that appeared as OpenSeas.io, enabling hackers to steal the art in question.
We are actively investigating rumors of an exploit associated with OpenSea related smart contracts. This appears to be a phishing attack originating outside of OpenSea's website. Do not click links outside of https://t.co/3qvMZjxmDB.
— OpenSea (@opensea) February 20, 2022
OpenSeas, to its credit, within hours had a notice up on both its website as well as its social media channels alerting users of the issue. The firms CEO, Devin Finzer, also had a lengthy Twitter thread outlining what the firm reportedly knew at the time.
We have confidence that this was a phishing attack. We don’t know where the phishing occurred, but we’ve been able to rule out a number of things based on our conversations with the 32 affected users. Specifically:
— Devin Finzer (dfinzer.eth) (@dfinzer) February 20, 2022
While initial reports indicated that the hack was widespread, it turns out that the scam largely affected just 32 users, with the hack not originating at OpenSeas, as per the company. The company however stated they are unaware of anyone affected clicking links in suspicious emails, while outlining that a number of items on the website were “not a vector for the attack,” including minting, buying, selling or listing items, using the listing migration tool, and clicking on the site banner.
Furthermore, as of 3:00 AM EST today, they were working to narrow down common websites used amongst those affected. A more recent update at the time of writing has not yet been provided.
Outside the company, those in the industry have been busy highlighting potential weak points within the system, such as Dan Guido, whom outlined “The security of web3 platforms depend entirely on wallets with universally poor security UX, and there’s very little the platforms can do about it.”
Here's the most correct recap of what's happening with OpenSea right now.
— Dan Guido (@dguido) February 20, 2022
tl;dr The security of web3 platforms depend entirely on wallets with universally poor security UX, and there's very little the platforms can do about it. https://t.co/065hiXtQ53
Others are still suspecting that the phishing was conducted via an email, which was sent to those that primarily had large wallets worth significant sums of money. Those affected then made significant noise within the NFT community, causing widespread panic to ensue.
Update on OpenSeas Phishing scam — Only whale wallets were targeted and those whales exaggerated the level of breach..creating panic in the market $SHIB $BTC $ETH $ELON pic.twitter.com/fF0HO6GSrg
— Spacey (@SpaceDemonDD) February 20, 2022
🚨 NFT EXPLOIT 🚨
— charliemarketplace.eth (@charliemktplace) February 20, 2022
@opensea hack is BAD – This guy tornado'd into a fresh wallet 12/30, made a weird contract call on Jan 22nd to OpenSea's contract (etherscan down of course, so I can't investigate calldata…) — and now he's pulled 18 (and counting) batches of NFTs…. pic.twitter.com/gDIYiR8eG9
That being said, there are numerous reports that certain NFT’s have been returned. In one instance, an NFT from the Bored Ape Yacht Club, a popular series of NFT art, was the only NFT stolen from a user while all other NFT’s were returned. Collectively, the hackers wallet is said to be worth approximately $2.0 million as of last night in ETH, with some of the stolen art already having been resold.
So the hacker sent back my pudgy penguins. the disrespect lmao
— TheKingGully 👑 (@thekinggully) February 20, 2022
While a final update on the situation has not been provided by the company, it has nevertheless enabled social media to do its thing.
HAHAH I had to share this 😭😭
— Baldy (@Baldyloxthrifts) February 20, 2022
Saw this off another post, but genuinely dying
What Openseas security system looks like pic.twitter.com/hLA5tZLwMM
BREAKING: Authorities say this female hip-hop artist is a person of interest in the massive OpenSea hack pic.twitter.com/G6U04YCeo8
— Trung Phan 🇨🇦 (@TrungTPhan) February 20, 2022
OpenSea has been hacked. Great news for the City of Vancouver, perhaps all the scammers and scamees can return to the CSE!
— SmallCapSteve (@smallcapsteve) February 20, 2022
*BREAKING NEWS*
— Chamath's Neglected Legs (@John10510) February 20, 2022
OpenSea has been hacked.
NFT owners are furiously right click saving their portfolios to slow the carnage
Information for this briefing was found via OpenSeas, Vice, and Twitter. The author has no securities or affiliations related to this organization. Not a recommendation to buy or sell. Always do additional research and consult a professional before purchasing a security. The author holds no licenses.