Hacker Uses Phishing Attack To Steal $1.7 Million In NFTs From OpenSea

A hacker stole NFTs worth more than $1.7 million from OpenSea users using a phishing attack. 

The attacker stole 254 NFTs, including Decentraland and Bored Ape Yacht Club tokens.

The attacker tricked the targets into signing a partial contract which gave the attacker complete control. For the targets, this was basically like signing a blank check.

The attacker tricked 32 victims into signing a malicious payload through a phishing attack. 

The payload then authorized the transfer of ownership of the NFTs to the attacker for free.

OpenSea Security

For context, OpenSea is one of the largest NFT marketplaces on the internet. 

The hackers exploited a vulnerability in the platform’s new Wyvern smart contract system. The system is used in many NFT smart contracts.

Since the NFT boom, OpenSea has become one of the most valued platforms in this industry. 

It provides a simple marketplace for users to list, browse, and bid on NFTs. However, this sudden success has come with some security risks.

The company has faced numerous vulnerabilities that let hackers steal from its users. 

The phishing attack occurred when OpenSea was migrating to the new Wyvern system. CEO Devin Finzer explained the phishing attack on a Twitter thread.