Threat actors stole at least $1.7M worth of NFTs from tens of OpenSea users

Threat actors have stolen and flipped high-valued NFTs from the users of the world’s largest NFT exchange, OpenSea.

The world’s largest NFT exchange, OpenSea on Sunday confirmed that tens of some of its users have been hit by a phishing attack and had lost valuable NFTs worth $1.7 million.

The phishing attack was confirmed by OpenSea Co-Founder and CEO, Devin Finzer, he also added that 32 users have lost NFTs.

Another update: over the last few hours we’ve talked to dozens of people, teams, and projects across the NFT space. https://t.co/fB5r3cMA1r

— Devin Finzer (dfinzer.eth) (@dfinzer) February 20, 2022

The analysis of the attacker’s walled revealed it contained $1.7 million of ETH (Ethereum) obtained by selling some of the stolen NFTs. Finzer pointed out that the company doesn’t believe the hack is connected to the OpenSea website.

Blockchain records show that the attacker was able to transfer numerous NFTs from different users to their address for free. Stolen NFTs included examples from the Bored Ape Yacht Club, Mutant Ape Yacht Club, and several other popular collections. The attacker has already sold some of the NFTs, for example, this NFT from the Azuki collection for 13.4 ETH ($36,380). The attacker’s wallet currently contains more than 600 ETH worth nearly $2 million.” reported Motherboard.

According to the Blockchain security firm Peckshield the threat actors behind the OpenSea hack used TornadoCash fully decentralized protocol for private transactions on Ethereum to wash 1,100 ETH (approximately $2.7 million)

The @opensea scammer just made use of @TornadoCash to wash 1,100 ETH…https://t.co/eQCopgqx43 pic.twitter.com/8KB6QxBC8P

— PeckShield Inc. (@peckshield) February 20, 2022

According to PeckShield, threat actors may have launched a phishing campaign using the migration process as bait.

OpenSea is investigating rumors of an exploit associated with OpenSea related smart contracts that may have been exploited by attackers.

We are actively investigating rumors of an exploit associated with OpenSea related smart contracts. This appears to be a phishing attack originating outside of OpenSea’s website. Do not click links outside of https://t.co/3qvMZjxmDB.

— OpenSea (@opensea) February 20, 2022

The attack was linked to the announcement of the marketplace of a new smart contract upgrade with a one-week deadline aimed at delisting inactive NFTs on the platform.

The new contract is live! Start migrating your listings now: https://t.co/W1w9ciCK2D

— OpenSea (@opensea) February 18, 2022

In order to upgrade the smart contract, users have to migrate their listed NFTs from ETH blockchain to a new smart contract. However, impacted users started reporting suspicious activities within hours after the upgrade announcement.

Finzer asked impacted users to get in contact with him via Twitter DM.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, NFT)

The post Threat actors stole at least $1.7M worth of NFTs from tens of OpenSea users appeared first on Security Affairs.

Recent Posts
Contact Us

We're not around right now. But you can send us an email and we'll get back to you, asap.

Not readable? Change text. captcha txt