OpenSea users complained about a phishing attack that resulted in countless stolen non-fungible tokens, according to PeckShield. At the same time, the NFT marketplace said it was investigating these “rumors,” and any attack was not related to its website.
Reports started to emerge earlier from OpenSea users who saw unsettling behavior in their accounts.
Shortly after, the blockchain security company PeckShield alerted that there was an ongoing phishing attack, requesting clients to authorize the migration to another OpenSea website promising to be gas-free.
The team behind the marketplace said they were “actively investigating rumors of an exploit,” adding that the incident was indeed a phishing attack “originating outside of OpenSea’s website.”
Company co-founder Devin Finzer also weighed in on the matter, later on, indicating that 32 users have “signed a malicious payload from an attacker, and some of their NFTs were stolen.”
As far as we can tell, this is a phishing attack. We don’t believe it’s connected to the OpenSea website. It appears 32 users thus far have signed a malicious payload from an attacker, and some of their NFTs were stolen.
— Devin Finzer (dfinzer.eth) (@dfinzer) February 20, 2022
Finzer further asserted that the team believes the attack had stopped as there were no more reports of phishing emails. Additionally, he refuted rumors that there were $200 million stolen from the platform. Their internal estimations showed that the perpetrator sold some NFTs worth $1.7 million of ETH for now.
PeckShield provided a list of the allegedly stolen NFTs, according to which there’re hundreds of ERC721 purloined digital artworks and dozens of ERC1155 ones swiped from users.
Some of those include Bored Ape Yacht Club (BAYC), Azuki, Farm Land by Pixels, and more.