Almost 12 hours ago, leading NFT marketplace OpenSea confirmed its team was investigating a potential exploit related to its smart contracts. The platform claimed it was attacked by a phishing strategy that apparently “originated outside” of its website.
At the time, users were advised to avoid opening links outside of OpenSea’s main website. The platform is yet to publish a full report on the situation, but its CEO Devin Finzer stated that a bad actor managed to trick as many as 32 users to sign a “malicious payload” and was able to steal “some of their NFTs”.
The attacker apparently used a standard email and copied a message sent by the marketplace to its users during the past weeks. The message was a deceptive strategy to hide the malicious order, its recipient was required to migrate their listings before February 25th by proceeding, the user provided the attacker with the aforementioned payload signature.
This is how the bad actor was able to take control over the user’s NFTs and trade them with Wyvern Exchange, according to speculations. A decentralized exchange running on Ethereum, Wyvern enables people to trade any asset on this network without any third-party intervention. Finzer said:
Importantly, rumors that this was a $200 million hack are false. The attacker has $1.7 million of ETH in his wallet from selling some of the stolen NFTs.
The attacker was able to steal NFTs from different collections, such as Lil Baby Punk, Azuki, Syn City Genesis Passes, Doodles, FOMO MOFOS, CloneX, PXQuest Adventurer, and others. Per security firm SlowMist, the hacker used decentralized protocol Tornado Cash to cash out 1115 ETH.
The attack could have opened a new threat to NFT investors, as stated by pseudonym developer foobar:
A single malicious signature can rug *all* of your approved OpenSea NFTs. No need to sign an individual sell order for each one, as originally assumed. This is how today’s hacker stole 10 Azukis, 8 mfers, and 3 mutant apes in a single transaction, with a single sig.
OpenSea Attacker Potentially Discovered
OpenSea, as mentioned, is yet to reveal any more information or an official report on the phishing attack. However, a pseudonym user shared a diagram, supposedly made by the team from OpenSea, in which they identified a potential suspect.
Going by the name “Amir Soliman”, the pseudonym user asked crypto exchanges Kraken and Coinbase to check for potential KYC information. Per the potential evidence presented by this user, the hacker was linked to these exchanges due to 19 small transactions in ETH made to their platforms.
Updated Diagram – Looks Like OpenSea has tagged Amir Soliman as a suspect…👀 – That was fast!! @krakensupport@CoinbaseSupport – check DMs, I can provide PDF copies of this so you can review tx hashes as well. The Coinbase linkage is most obvious, but there’s more. pic.twitter.com/5JYQ0h1q3p
The nature of these transactions or the identity of a suspect is yet to be confirmed by the NFT marketplace. In the meantime, any information must be taken with a grain of salt and considered speculation, but it would appear the transactions were part of the phishing attack preparation process.
As for the victims of this attack, except those to whom their NFTs were returned, the monetary value of their assets could be restored, but the uniquely minted NFT with a potential sentimental value might be lost forever.
