On the 19th of February 2022, users of the OpenSea platform noticed some strange activity. To steal NFTs worth millions of dollars, an attacker seemed to be using OpenSea’s new exchange contract. To date, the attacker has stolen some of the most popular and expensive NFTs in the world from people, it means the attacker had sold $700k in stolen NFTs.
Not all smart contracts had the same problem, so the move wasn’t caused by this problem. A hidden phishing attack instead. The hacker looked like he was calling an OS contract that had been running for four years with real atomicMatch data from a helper contract that had been running for 30 days before that.
A half-hour after users initially became aware of the activity, OpenSea confirmed it in a tweet, saying that the event seemed to be an external phishing attack. Visitors were warned not to follow any links in the message that took them away from the official website.
Later, Devin Finzer, co-founder and CEO of OpenSea, took to Twitter to explain what had happened, about 11 p.m. EST. At least 32 people had signed a harmful payload from the attacker in the phishing effort, Finzer said, confirming internal investigations. As for the company, he said that they were still searching for answers. “We are not aware of any recent phishing emails that have been sent to users, but at this time we do not know which website was tricking users into maliciously signing messages,” he said.
