As many as 32 OpenSea users lost hundreds of NFTs valued at USD 1.7 million on February 19 in a phishing attack.
“We don’t believe it’s connected to the OpenSea website. It appears 32 users thus far have signed a malicious payload from an attacker, and some of their NFTs were stolen,” said OpenSea CEO and co-founder Devin Finzer.
Finzer said the hacker “has USD 1.7 million of ETH in his wallet from selling some of the stolen NFTs.” Some of the stolen NFTs had been returned.
The attack took place when OpenSea was updating its contract systems. The contract upgrade to delist inactive NFTs on the platform came with a one week deadline. A few hours into OpenSea announcing its upgrade, news emerged of attackers hacking the to-be-listed NFTs. However, OpenSea has denied the attack originated from the new contracts.
Peckshield, a blockchain security service, estimated as many as 254 tokens were stolen, including NFTs from Decentraland and the Bored Ape Yacht Club. OpenSea is the world’s largest NFT marketplace with a valuation of USD 13 billion as of January.