OpenSea says 32 users had NFTs stolen as part of a targeted phishing campaign that scammed them into signing malicious smart contracts
Emails purporting to be from the NFT marketplace about a planned smart contract migration may have been a phishing attack. Source: @dfinzer , @opensea , and @xanderatallah .
CoinDesk Will Gottsegen
Related Coverage
- $1.7 million in NFTs stolen in apparent phishing attack on OpenSea users The Verge · Russell Brandom
- A Hacker Is Actively Stealing High-Value NFTs From OpenSea Users VICE · Jordan Pearson
- Opensea CEO Dismisses $200 Million Hack Rumor, Claims Incident Was a Phishing Attack Bitcoin News · Terence Zimwara
- View article CryptoSlate
- View article The Metacoin Occasionally
- Phishing on the Opensea — On February 9, 2021, an unidentified scammer used a phishing attack … Dirty Bubble Media
- Threat actors stole at least $1.7M worth of NFTs from tens of OpenSea users Security Affairs · Pierluigi Paganini
- Scam artists swindle NFTs worth ‘millions’ in OpenSea phishing attack ZDNet · Charlie Osborne
- Hundreds of NFTs stolen from OpenSea wallets - here's what you need to know TechRadar · Joel Khalili
- ‘Hacker’ Steals NFTs ‘Worth’ Millions From Opensea Users Kotaku · Luke Plunkett
- OpenSea Probes NFT Phishing Attack, Co-Founder Says Bloomberg · Ambereen Choudhury
- OpenSea users lose hundreds of NFTs in likely phishing attack Engadget · Igor Bonifacic
- View article crypto.news
- 32 OpenSea users have their NFTs stolen and flipped for a total of $3 million by a phishing scammer Web3 is going just great · Molly White
- $1.7 Million Worth Of NFTs Stolen In Phishing Attack Ubergizmo · Tyler Lee
- Phishing scam: NFTs Worth $1.7M Stolen from OpenSea Users HackRead · Deeba Ahmed
- OpenSea Confirms Phishing Hack, Values Loss at $1.7 Million Coinspeaker · Ibukun Ogundare
- View article PC Gamer
- OpenSea Investigates NFT Phishing Attack PYMNTS.com
- Hundreds on NFTs stolen in phishing attack targeting OpenSea users SiliconANGLE · Duncan Riley
- NFT marketplace OpenSea is investigating a phishing hack CNBC · Jessica Bursztynsky
- NFTs worth $1.7M stolen via OpenSea phishing attack AppleInsider · Malcolm Owen
- OpenSea NFT Hack Exposes Web3 Self-Custody Risks Crypto Briefing · Chris Williams
- OpenSea Hacker Steals Mass Amounts of Ethereum Ausheat Crypto · Volkfreedom
- OpenSea Phishing Attack Causes Concern in Hot NFT Market Crowdfund Insider · JD Alois
- OpenSea Investigates High-Profile NFT Thefts PCMag · Nathaniel Mott
- Phishing Attack Tricks 32 OpenSea Users Out of 254 NFTs Slashdot · EditorDavid
- OpenSea suffers phishing attack, users lose NFTs CoinJournal · Benson Toti
- OpenSea Hack: NFTs Worth Millions Stolen From Users Crypto Daily · Amara Khatri
- OpenSea Admits Phishing Attack On Its Platform, 32 Users Affected InsideBitcoins.com · Ali Raza
- OpenSea is investigating rumors of a multi-million dollar NFT exploit The Block · Frank Chaparro
- View article Decrypt
- Nearly $2 Million In ETH Stolen From OpenSea Users In Latest ‘Phishing Attack’ ZyCrypto · Newton Gitonga
- OpenSea planned upgrade stalls as phishing attack targets NFT migration Cointelegraph · Arijit Sarkar
- OpenSea Rugging - Critical Crypto Breakdown · Matthew
- OpenSea Says Phishing Attack Likely Caused ‘Small Number’ of Users To Lose Access to NFTs The Daily Hodl
- OpenSea CEO Devin Finzer Responds to $1.7 Million Phishing Attack Decrypt · Kate Irwin
- NFT marketplace OpenSea falls victim to phishing attack Tamebay · Lauren
- Crypto Price Crash Panic: Serious NFT ‘Hack’ Suddenly Sends Bitcoin, Ethereum, BNB, Solana And Cardano Sharply Lower Forbes · Billy Bambrough
- OpenSea Investigating Rumors Of NFT Exploit, Suspects Phishing Attack Benzinga · Bibhu Pattnaik
- OpenSea CEO: $1.7M phishing not from the NFT marketplace Forkast · Lachlan Keller
Discussion
-
@opensea
@opensea
on x
We are actively investigating rumors of an exploit associated with OpenSea related smart contracts. This appears to be a phishing attack originating outside of OpenSea's website. Do not click links outside of https://opensea.io/.
-
@dfinzer
Devin Finzer
on x
I know you're all worried. We're running an all hands on deck investigation, but I want to take a minute to share the facts as I see them:
-
@xanderatallah
@xanderatallah
on x
Update: we still believe this was a phishing attack, and it impacted 32 users 2 hours ago. A thread on the latest updates: https://twitter.com/... Another thread with some technical details: https://twitter.com/... We'll continue monitoring, and posting updates.
-
@opensea
@opensea
on x
The new contract is live! Start migrating your listings now: https://opensea.io/...
-
@peckshield
@peckshield
on x
Though unconfirmed, the @opensea hack is most likely phishing. Users authorize the “migration” as instructed in the phishing email and the authorization unfortunately allows the hacker to steal the valuable NFTs... https://twitter.com/...
-
@jon_hq
@jon_hq
on x
It appears that an attacker is using smart contract 0xa2c0946aD444DCCf990394C5cBe019a858A94 5bD to interact with OpenSea's new exchange contract (v2) I am very unsure how this is working or what is being exploited but it seems that OpenSea's new contract is aboslutely rugged. htt…
-
@dguido
Dan Guido
on x
In a strange win for transparency, even user-focused phishing attacks are public on the blockchain. Here's the unlucky 19 victims of tonight's attack: https://twitter.com/...
-
@joeuchill
Joe Uchill
on x
Web3 is decentralized as long as you only click links on one website. https://twitter.com/...
-
@axecapya
Lawrence
on x
So @opensea released a migration option yesterday and today there are rumors and mass panic in the NFT spaces from users that wallets are being drained of “assets”. 😳 Users are also saying their newly migrated assets are the ones being hit. https://twitter.com/...
-
@mikeburgersburg
@mikeburgersburg
on x
This is what a hack looks like 👀 X2Y2 or something else, 578 Ethereum (~$1.7 million) transferred from dozens of wallets through @opensea to a hacker. In addition to possibly millions worth of #NFTs... https://twitter.com/... https://twitter.com/...
-
@carnage4life
@carnage4life
on x
Combination of smart contracts that are actually executable code and phishing has hit OpenSea users this afternoon. Question now is whether validly signed smart contracts and immutable transactions on the blockchain makes reversing these transactions impossible? This is painful. …
-
@dfinzer
Devin Finzer
on x
For more technical context, this thread (https://twitter.com/...) is consistent with our current internal understanding.
-
@ajfromdiscord
@ajfromdiscord
on x
HEY EVERYONE. I CONNECTED WITH A FEW OTHER PEOPLE WHO GOT HACKED JUST NOW. ALL OF US ONLY HAVE ONE THING IN COMMON. ALL OF OUR STOLEN NFT'S WERE ONES WE MANUALLY MIGRATED ON OPENSEA. @opensea you have so much explaining to do now.
-
@coindesk
@coindesk
on x
In the wake of a series of viral tweets from panicked traders, NFT marketplace @OpenSea says it's investigating “rumors of an exploit” connected to its smart contracts - a vulnerability that may have cost users valuable tokens. @lil_smush reports https://www.coindesk.com/...
-
@bitboy_crypto
Ben Armstrong
on x
LMAO I CAN'T EVEN RIGHT NOW 😂😂😂😂 😂😂😂😂 😂 Daily reminder @opensea is ran by admitted scammers. What did you expect was going to happen? Going to have a field day with this one https://twitter.com/...
-
@dfinzer
Devin Finzer
on x
As far as we can tell, this is a phishing attack. We don't believe it's connected to the OpenSea website. It appears 32 users thus far have signed a malicious payload from an attacker, and some of their NFTs were stolen.
-
@isotile
@isotile
on x
🏴☠️ OPENSEA NFT HACK EXPLAINED THREAD 🏴☠️ 28 days ago the hacker uploads a new smart contract, he already knows well that his goal is to get as many signatures as possible 🧵 1/4 https://twitter.com/...
-
@nesotual
@nesotual
on x
Seen confusion about the OS thing so. Attacker had people sign half of a valid wyvern order, the order was basically empty except the target (attacker contract) and calldata, attacker signs other half of order.
-
@pluggedinn
@pluggedinn
on x
BREAKING: Over $200,000,000 worth of NFTs have been stolen from OpenSea via an email phishing hack. https://twitter.com/...
-
@0xfoobar
@0xfoobar
on x
🚨 NFT EXPLOIT 🚨 The hacker is using a helper contract deployed 30 days ago, to call an OS contract deployed 4 years ago, with valid atomicMatch() data. Likely a signature phishing attack from several weeks back, the attacker is exploiting now before all listings expire. https://t…
-
@dfinzer
Devin Finzer
on x
Another update: over the last few hours we've talked to dozens of people, teams, and projects across the NFT space. https://twitter.com/...
-
@mekkaokereke
@mekkaokereke
on x
No, it's really not funny that even a software engineer at Opensea and former Google engineer, was allegedly scammed in the Opensea event. It just shows how unrealistic it is to expect average users to not lose it all in an instant with no recourse. This is real people's money.
-
@nadavahollander
Nadav Hollander
on x
1) Sharing a technical run-down of the phishing attacks targeting @OpenSea users, including some web3 technical education. 👇
-
@dfinzer
Devin Finzer
on x
We have confidence that this was a phishing attack. We don't know where the phishing occurred, but we've been able to rule out a number of things based on our conversations with the 32 affected users. Specifically:
-
@lazulcapital
@lazulcapital
on x
Software engineer @opensea fell for the phishing attack https://twitter.com/...
-
@dfinzer
Devin Finzer
on x
This attack did not originate on https://opensea.io/.
-
@tha_rami
Rami Ismail
on x
They centralized authority for the decentralized authority-less scam because while that wasn't the promise, the scam was useless without centralized authority - and then the centralized authority of the decentralized authority-less scam turned out to be easy pickings for scams ht…
-
@eevee
@eevee
on x
um, stolen? what do you mean? they changed hands via a legitimate transaction. it's all recorded on the blockchain, which is 100% secure and immutable and trustless. where did “stolen” come into it? hundreds of people simply decided to transfer their tokens simultaneously https:/…
-
@alexstamos
Alex Stamos
on x
We can't get people to use MFA or patch, but this seems like a completely reasonable system for normies to invest their life savings. https://twitter.com/...
-
@iwriteok
Robert Evans
on x
some good news https://twitter.com/...
-
@jsoabove
Janelle Belgrave L.Ac
on x
I'm so confused by this era of owning imaginary things while being robbed of real money. https://twitter.com/...
-
@byyourlogic
@byyourlogic
on x
I do legitimately feel bad for people here. there's obviously a ton of hucksters in any blockchain thing, as well as people who can stand to lose $. but you've also got people who just bought into hype and maybe thought they could escape their shitty jobs and now they're screwed …
-
@dfinzer
Devin Finzer
on x
Interaction with an OpenSea email is not a vector for attack. In fact, we are not aware of any of the affected users receiving or clicking links in suspicious emails.
-
@nadavahollander
Nadav Hollander
on x
- 32 users had NFTs stolen over a relatively short time period. This is extremely unfortunate, but suggests a targeted attack as opposed to a systemic issue.
-
@caseynewton
Casey Newton
on x
There is simply never a dull moment on the blockchain https://www.coindesk.com/...
-
@cryptofelixx
Crypto Felix
on x
To be safe, do not migrate any listings on @opensea atm until this is sorted out. https://twitter.com/...
-
@carnage4life
@carnage4life
on x
Using Ethereum for NFTs reminds me of using XML for web services in the 2000s. The use case was real but the technology was totally inappropriate and created a ton of unnecessary complexity. Eventually we figured this out & now use JSON which gives most benefit minus complexity.
-
@grummz
@grummz
on x
Urging all users to “learn 2 code” to protect themselves from NFT hacks is not going to work for mass adoption and protecting consumers at large. Big friction point for smart contract crypto. https://twitter.com/...
-
@carnage4life
@carnage4life
on x
Web3 developers will eventually start asking themselves, why do users need to run a stored procedure (smart contract) in the context of their wallet to sell or buy a JPEG? An activity you could perform with no such risk on the Neopets website in 1999.
-
@austen
Austen Allred
on x
Wife: “[Name] wants me to ask you if he should start investing in NFTs.” Me: “Is the password for his MacBook still ‘password’?” Wife: “I think so, why?” Me: “He should not be investing in NFTs.”
-
@coinerstakingls
@coinerstakingls
on x
Lightning about to strike twice https://twitter.com/...
-
@jarnomn
Jarno Niemela
on x
My prediction: various smart contract abuse is going to be office macros of 2020s. It's going to take years before the space is even close to secure. https://twitter.com/...
-
@mdudas
Mike Daodas
on x
really good, informative, prompt response from @opensea's ceo https://twitter.com/...
-
@nadavahollander
Nadav Hollander
on x
- None of the malicious orders were executed against the new (Wyvern 2.3) contract, indicating that they were signed before the migration and are unlikely to be related to OpenSea's migration flow.
-
@carnage4life
@carnage4life
on x
Crypto bros defining decentralization to mean anything written down in an append-only, uneditable database (aka a blockchain) is the only truth is both a fundamental misunderstanding of the word and a recipe for ongoing disasters. https://twitter.com/...
-
@carnage4life
@carnage4life
on x
For a while the industry tried to treat this unnecessary complexity as a feature by building on it with XSD, XSLT, XPath, WSDL, SOAP, etc but it eventually came crashing down. We're seeing the same thing with smart contracts & blockchain for simple problem of licensing & signing
-
@mikeburgersburg
@mikeburgersburg
on x
FULL STORY: “Phishing on the Opensea” - Victims tricked into signing “blank check” buy order - Stolen NFTs sold via Opensea, LooksRare, and SushiSwap - 1100 Eth ($3 mil) sent to Tornado Cash - Who is to blame? https://dirtybubblemedia.substack.com/ ...
-
@fintechfrank
Frank Chaparro
on x
The OpenSea team was working at least until 3am last night trying to get to the bottom of what was most likely a phishing attack that resulted in millions of dollars worth of NFTs being swiped from its platform https://twitter.com/...
-
@nadavahollander
Nadav Hollander
on x
- All of the malicious orders contain valid signatures from the affected users, indicating that they did sign an order somewhere, at some point in time. However, none of these orders were broadcasted to OpenSea at the time of signing.
-
@kanakhey
@kanakhey
on x
great explanation yet like 2000 people in the world understand it web3 products are riddled with language like this—the friction to simply enjoy and support nfts is absurdly high https://twitter.com/...
-
@dfinzer
Devin Finzer
on x
While the attacker stopped >4 hours ago, our investigation is ongoing. We'll keep you updated as we learn more about the exact nature of the phishing attack. If you have specific information that could be useful, please DM @opensea_support.
-
@antsstyle
@antsstyle
on x
“The monkey is mine because it's on BLOCKCHAIN! Nobody could ever steal it!” Meanwhile, OpenSea's code is insecure... and on top of that its users are falling for phishing emails, good luck solving any of that with blockchain 😂 https://www.vice.com/... https://www.vice.com/... ht…
-
@levie
Aaron Levie
on x
@Carnage4Life Another complicated one is the coordination complexity of having to route all your major changes through users because they hold the keys. For anything on-chain, this is essentially going back to on-prem and loses the agility of cloud. https://twitter.com/...
-
@ysiu
Yat Siu
on x
1/ In light of the recent phishing attacks @opensea particular as it relates to stolen #NFTs something that happened to my son not too long ago; a guide on what options are available to you based on our own experiences that might be helpful to victims https://twitter.com/...🧵 👇
-
@molly0xfff
Molly White
on x
@polotek did you see this one last night, which was QTed by the opensea CEO? https://twitter.com/... i was reading through it trying to figure out if an opensea contract was at fault at all and was like “right, right, the signed half wyvern order and the contract atomicmatch...”
-
@pbump
Philip Bump
on x
You, new at this: NFTs made art-buying digital Me, familiar with crypto: NFTs made art theft digital https://www.vice.com/...
-
@josephmdurso
Joey D'Urso
on x
This is just so dumb. On the biggest, most “legit” NFT platform there is, subject to a huge hack. If NFT people want to be taken seriously they need to sort out the fact that their world is now a byword for scams and fraud on a massive scale. https://twitter.com/...
-
@mikeburgersburg
@mikeburgersburg
on x
NEW: “Phishing on the Opensea” - Victims tricked into signing “blank check” buy order - Stolen NFTs sold via Opensea, LooksRare, and SushiSwap - 1100 Eth ($3 mil) sent to Tornado Cash - Who is to blame? @Bitfinexed @ncweaver @DoombergT @SilvermanJacob https://dirtybubblemedia.sub…
-
@dao_joker
Joker
on x
I'm the one who was hacked. I participated in the conversation with @OpeenSea They are well aware that they are trying to solve the case. But please keep in mind all possibilities. All communities, including #BAYC #CloneX #Azuki #mfers are watching the current situation. https://…
-
@nick_craver
Nick Craver
on x
Turns out you can sign a blank check on a blockchain too: https://twitter.com/...
-
@opensea
@opensea
on x
We are continuing to investigate the phishing attack that was reported last night. We'll be giving updates from this account throughout the day today. ICYMI, this thread from our CEO has the latest on what we know: https://twitter.com/...
-
@jesseltaylor
@jesseltaylor
on x
A seventies-style sexy art heist caper, except Paul Newman sends an email and Robert Redford breathlessly describes the shitty ape art he's saving to a desktop folder https://twitter.com/...
-
@murderxbryan
@murderxbryan
on x
Why don't they just simply take the fake money back from the thieves by pressing delete until the number changes back to what it was before the people who stole the fake money took it and then email the owners another jpg of their favorite picture or whatever an nft is? https://t…
-
@iamnomad
@iamnomad
on x
4 yr old deploy contract.... https://twitter.com/...
-
@msuiche
@msuiche
on x
Incident Response seen by a web3 lense. Bookmarking it for later. https://twitter.com/...
-
@ncweaver
Nicholas Weaver
on x
The whole “approval contract” business will continue to produce hilarious results unless, well, unless never. Its a feature, not a bug. https://twitter.com/...
-
@nix_eth
Nix.Eth
on x
Lots of bad information floating around. Wait for facts, OS is doing a good job sifting through. As a victim I have felt well taken care of, multiple people at OS have reached out to check in and try to help ❤️ https://twitter.com/...
-
@gameofbitcoin
Gary
on x
With every passing minute it is looking like that the OpenSea attack was indeed due to phishing Always double triple check when signing for transactions and do not click on any random links https://twitter.com/...
-
@randizuckerberg
Randizuckerberg.Eth
on x
Being in crypto is like going to the most wild, fun party...and then stumbling out at 2am only to realize you're in one seriously sketchy neighborhood. Stay safe out there, everyone! https://twitter.com/...
-
@whet
Whet Moser
on x
art theft used to be cool, now it's like someone emails you an equation that takes your ape receipt https://twitter.com/...