OpenSea, one of the largest NFT marketplaces on the internet, was attacked by hackers on Saturday, 19th February.
On Friday, 18th February, OpenSea launched a new smart contract. A malicious player immediately copied and re-sent OpenSea’s broadcasted email notifying users. Those who opened the copycat email were directed to a copycat webpage. There, they were prompted to sign a seemingly legitimate transaction that, allegedly, would move their NFTs from the old to the new contract.
Instead, clicking “Sign” triggered a function called “atomicMatch_.” which stole their NFTs in one transaction.
On 20th February, several OpenSea users noticed their NFTs were missing. (NFTs are digital tokens stored on the blockchain that represent ownership over virtual assets, such as digital drawings or music)
About an hour after the NFTs went missing, OpenSea tweeted that the phenomenon appeared “to be a phishing attack originating outside of OpenSea’s website.”
Phishing is the act of sending fraudulent emails purporting to be from reputable organizations in a bid to induce individuals to reveal personal information, such as passwords and credit card numbers.
At first, OpenSea’s CEO Devin Finzer reported that 32 OpenSea users had fallen victim to the ruse, and that figure turned out to be overshot. On Monday 21st February, he clarified that the “original count included anyone who had *interacted* with the attacker, rather than those who were victims of the phishing attack.”
In summary, 250 NFTs were stolen from just 17 users.
Nonetheless, many details of the attack remain unclear; the method attackers used to get targets to sign the fake contract, where the attack originated from, and more.
Please visit us @GoSpeedHub on Facebook, Instagram, and Twitter for more information.
Image Source – Opeasea
