The attack no longer appears to be active, as 'there has been no activity on the malicious contract for over 15 hours'
254 NFTs, including tokens from Decentraland and Bored Ape Yacht Club, were stolen over roughly three hours
Attack also no longer appears to be active, as there has been no activity for over 15 hours
OpenSea, the world’s largest marketplace for non-fungible tokens (NFTs), said a cyberattack had affected it, and at least 17 users had lost NFTs, worth $1.7 million.
The attack no longer appears to be active, as there has been no activity on the malicious contract for over 15 hours, the company said.
Initially, the company said 32 of its users were affected; however, it was later revised to 17.
“Our original count included anyone who had interacted with the attacker, rather than those who were victims of the phishing attack,” OpenSea tweeted on Monday.
The attack, which took place between 5 PM and 8 PM ET, stole 254 NFTs, including tokens from Decentraland and Bored Ape Yacht Club, a spreadsheet compiled by the blockchain security service PeckShield showed.
Possible causes of attack
While New York-based NFT marketplace was yet to figure out the extensivity of the cyberattack, Peckshield tweeted that it suspects a possible leak of user information that fuelled a phishing attack.
Phishing is one of the social engineering, where an attacker dupes a victim into opening an email, instant message, or text message, tricking them into revealing sensitive information, including login credentials and credit card details.
However, on Twitter, OpenSea CEO Devin Finzer linked one explanation to the probable cause of the attack and said it is “consistent with our current internal understanding.”
The explanation said the attacker had targets sign a partial contract, with a general authorization and large portions left blank. With the signature in place, attackers completed the contract with a call to their own, which transferred the NFTs without payment.
Finzer on Twitter said the attacks had not originated from OpenSea’s website, its various listing systems, or any emails from the company. The rapid pace of the attack — hundreds of transactions in a matter of hours — suggests some common vector of attack, but so far, no link has been discovered.
Last Thursday, the U.S. Department of Justice (DoJ) said it is forming a Virtual Asset Exploitation Unit, which will be a part of the National Cryptocurrency Enforcement Team (NCET) and will serve the Federal Bureau of Investigation (FBI).
While NCET investigates criminal uses of digital tokens carried out by crypto exchanges, coin mixers, and other entities engaged in money laundering, the new FBI unit will support law enforcement at domestic and international levels of government.
OpenSea is the world’s largest NFT marketplace platform and has become one of the most valuable companies in the crypto sector after a recent $300 million investment round valuing it at $13.3 billion.
The company provides a platform for users to list, browse, and bid on NFTs without interacting directly with the blockchain.
It has seen $3.77 billion of trading volume in the last 30 days, according to data from DappRadar.