A hacker was able to steal $1.7 million worth of NFTs from the popular online NFT marketplace OpenSea over the weekend. The NFTs were stolen from users on the marketplace who had fallen victim to a phishing scam.
OpenSea co-founder and CEO Devin Finzer said Sunday that the hacker was able to trick 32 of its customers into authorizing the transfer of their stored NFTs. The company is still trying to determine how the hacker had managed to trick the users into signing the malicious payload granting authority for the transfer of the NFTs.
The company assured its existing customers that it was still safe to mint, buy, list, and sell NFTs on the website, adding that the theft did not mean that its network and systems were compromised. The company believes that phishing may have occurred outside the website. OpenSea said it is still conducting an investigation into the incident.
The theft occurred as the company was migrating to its new Wyvern smart contract system. The migration began on Friday and will be completed on Feb. 25. The company ruled out that the migration was related to the attack and that its website was in any way compromised.
In a post on social media, Finzer revealed that none of the victims had clicked on any suspicious links or emails, clicked on any links of the websites, or used any of the website's migrating tools when the attack happened. Finzer said its migration system to the Wyvern contract system was still safe to use for all users.
The company is reportedly working closely with the victims of the theft to narrow down how the hacker was able to compromise their accounts. The investigation will include tracking down the common websites the victims had used, which might result in finding the process of how they were tricked into authorizing the transfers.
Finzer said the company would keep everyone in the community updated on any new findings, including the nature of the phishing attack.
OpenSea's chief technology officer, Nadav Hollander, published the findings of his initial assessment of the hack in a post published on Sunday. Hollander echoed Finzer's initial comments, stating that the hack had nothing to do with its migration to the new Wyvern contract system. He added that the authorization of the NFT transfers had occurred before the migration.
Hollander said because of the number of victims and how quick the heist was made, he believes that the victims may have been targeted. He reassured customers that the incident was not a systemic issue.
