A hacker is actively stealing high-value NFTs from users on OpenSea, the world’s largest NFT exchange.
The exchange has put up a red banner on top of its site which says, “We are actively investigating rumors of an exploit associated with OpenSea related smart contracts. This appears to be a phishing attack originating outside of OpenSea’s website. Do not click links outside of opensea.io.”
The scammers are using this to their advantage to swipe valuable NFTs from collectors on OpenSea for dirt cheap. According to some high-profile NFT users, there’s a malicious actor who is phishing people with fake pages designed to look like the real deal to upgrade to that contract.
According to Blockchain records, scammers have transferred a number of NFTs from various users to their addresses for free. Some of the stolen NFTs included examples from the Bored Ape Yacht Club, Mutant Ape Yacht Club, and several other popular collections. They also have managed to sell some of the NFTs like the NFT from the Azuki collection was sold for 13.4 ETH ($36,380). The attacks have more than 600 ETH worth nearly $2 million in their wallets.
OpenSea did not respond to share information about the hack, though the news was spread like wildfire on Twitter Spaces with more than 3,700 listeners Saturday night.
There are signs of hackers returning some of the bounties, like the BAYC NFT. The hackers returned all the NFTs except the BAYC which is currently frozen on OpenSea, with the attacker’s page on the marketplace similarly 404s.
Dan Guido, a security researcher in a tweet on Saturday night said “the security of web3 platforms depend entirely on wallets with universally poor security UX, and there’s very little the platforms can do about it.” He added, “in a strange win for transparency,” it’s currently possible to see which NFTs have been stolen.
Security Concerns in Cloud Computing Can be a Major Hurdle in Cloud Adoption
US Department of Justice Appoints First Director of National Cryptocurrency Enforcement Team
Microsoft Offers Advice to Defend against ‘Ice Phishing’ Crypto Scammers