The largest NFT exchange globally, OpenSeas, has evidently had what one can describe as a public relations nightmare over the course of the last twenty four hours. The company has been targeted by hackers, whom have successfully stolen a number of digital art pieces from users on the platform.
The story itself continues to develop, with mixed reports on what in particular actually happened. Initially there were numerous theories on what specifically was occurring, including an exploit in a new contract, an issue with X2Y2, or a sophisticated phishing scam assembled by the hackers. Over the last several hours, it appears that the latter is the theory being promoted by most within the NFT community.
Trouble for OpenSeas began on Saturday night, when NFT’s began to be stolen from users on the exchange. The thefts reportedly followed an email that users received, asking them to migrate their Ethereum listings to a new smart contract, free of gas fees (think service charges, but for crypto-related transactions). Once they clicked the link through the email however, they were redirected to a fake page that appeared as OpenSeas.io, enabling hackers to steal the art in question.
OpenSeas, to its credit, within hours had a notice up on both its website as well as its social media channels alerting users of the issue. The firms CEO, Devin Finzer, also had a lengthy Twitter thread outlining what the firm reportedly knew at the time.
While initial reports indicated that the hack was widespread, it turns out that the scam largely affected just 32 users, with the hack not originating at OpenSeas, as per the company. The company however stated they are unaware of anyone affected clicking links in suspicious emails, while outlining that a number of items on the website were “not a vector for the attack,” including minting, buying, selling or listing items, using the listing migration tool, and clicking on the site banner.
Furthermore, as of 3:00 AM EST today, they were working to narrow down common websites used amongst those affected. A more recent update at the time of writing has not yet been provided.
Outside the company, those in the industry have been busy highlighting potential weak points within the system, such as Dan Guido, whom outlined “The security of web3 platforms depend entirely on wallets with universally poor security UX, and there’s very little the platforms can do about it.”
Others are still suspecting that the phishing was conducted via an email, which was sent to those that primarily had large wallets worth significant sums of money. Those affected then made significant noise within the NFT community, causing widespread panic to ensue.
That being said, there are numerous reports that certain NFT’s have been returned. In one instance, an NFT from the Bored Ape Yacht Club, a popular series of NFT art, was the only NFT stolen from a user while all other NFT’s were returned. Collectively, the hackers wallet is said to be worth approximately $2.0 million as of last night in ETH, with some of the stolen art already having been resold.
While a final update on the situation has not been provided by the company, it has nevertheless enabled social media to do its thing.
Information for this briefing was found via OpenSeas, Vice, and Twitter. The author has no securities or affiliations related to this organization. Not a recommendation to buy or sell. Always do additional research and consult a professional before purchasing a security. The author holds no licenses.
