OpenSea is in the midst of figuring out an attack on its platform that appears to be a phishing scheme according to tweets by the company and its CEO. At some point yesterday, OpenSea stated that a phishing scam had caused 32 users to sign into a malicious payload from an attacker and, unfortunately, some NFTs [non-fungible tokens) were stolen. At least some of the pilfered NFTs have been sold for around $1.7 million. OpenSea is the largest NFT marketplace in the world, backed by some of the biggest names in venture capital.
A caution statement on the OpenSea website states: “We’re continuing to investigate rumors of a phishing attack originating outside of OpenSea. Do not click links outside of opensea.io.”
Devin Finzer, CEO of OpenSea reported that:
“Minting, buying, selling, or listing items using opensea.io is not a vector for the attack. In particular, signing the new smart contract (the Wyvern 2.3 contract) is not a vector for the attack.”
On Discord, OpenSea told users it will NEVER contact you via DM to ask for ETH in exchange for verification, a blue check mark, or similar reasons! If you are contacted about this, please report the sender to Discord: [email protected]
While the net impact of the phishing attempt appears to be minor, and will probably be recovered, the attack once again heightens the need for the digital asset sector to better manage scams and the need for increased awareness from users that sometimes, things are not what they seem to be. Events like this rattle, not just platforms and users but regulators and politicians who are always keen to save people, mostly from themselves.
A thread on Twitter from at least on VC indicated a caution in getting involved in the red-hot NFT sector that has gone from nearly zero to stratospheric in a short amount of time.
No way I’d be getting heavily involved in NFTs after this, I’m sorry but too much uncertainty.
It’s a hot mess & the experts have no idea what’s happening. That’s terrifying, we’re talking real money.
— Brandon Brooks (@OfficialBBrooks) February 20, 2022
Other commentators indicated they had experienced minor scams, some drew a parallel to the initial coin offering (ICO) rave that inevitably ended in disaster and tears.
Rapid growth in a new industry can drive participants to rush to release features and services that, unfortunately, may cut too many corners. While it seems that digital asset collectibles are here to stay, it seems now is a good time for the industry to work together, create a self-regulatory group that solidifies best practices and transparency requirements before the feds step in and do it for them.
Update: OpenSea CTO Nadav Hollander has posted a thread on Twitter outlining a technical run down of the attack. Hollander states that the information they have indicate that the NFTs were stolen over a short time period suggesting a targeted attack as opposed to a systemic issue.
He added that even though it appears the attack was made from outside OpenSea, they are actively helping affected users and discussing ways to provide them assistance.
1) Sharing a technical run-down of the phishing attacks targeting @OpenSea users, including some web3 technical education.
— Nadav Hollander (@NadavAHollander) February 20, 2022