{"id":58133,"date":"2022-02-20T16:22:38","date_gmt":"2022-02-20T14:22:38","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=58133"},"modified":"2025-09-04T15:15:10","modified_gmt":"2025-09-04T12:15:10","slug":"opensea-launches-investigation-into-user-nft-theft","status":"publish","type":"post","link":"https:\/\/u1f987.com\/en\/opensea-launches-investigation-into-user-nft-theft\/","title":{"rendered":"OpenSea launches investigation into user NFT theft"},"content":{"rendered":"<p>The NFT marketplace OpenSea has launched an investigation into rumors of an exploit related to its smart contracts. The company said this was a phishing attack \u2014 no issues on the platform&#8217;s side have been found.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">We are actively investigating rumors of an exploit associated with OpenSea related smart contracts. This appears to be a phishing attack originating outside of OpenSea\u2019s website. Do not click links outside of <a href=\"https:\/\/t.co\/3qvMZjxmDB\">https:\/\/t.co\/3qvMZjxmDB<\/a>.<\/p>\n<p>\u2014 OpenSea (@opensea) <a href=\"https:\/\/twitter.com\/opensea\/status\/1495211277097996290?ref_src=twsrc%5Etfw\">February 20, 2022<\/a><\/p><\/blockquote>\n<p> <script async=\"\" src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u201cWe are actively investigating rumors about an exploit related to OpenSea\u2019s smart contracts. It appears to be a phishing attack originating from outside sources. Do not follow links outside opensea.io,\u201d the statement says.<\/p>\n<\/blockquote>\n<p>On Friday, February 18, the OpenSea smart contract was restarted. The initiative aims to remove from the platform old sale listings and close <a href=\"https:\/\/u1f987.com\/en\/news\/opensea-reimbursed-users-affected-by-a-vulnerability-to-more-than-1-9-million\">vulnerability<\/a>, which allowed some tokens to be purchased at prices from months earlier, even if they did not appear in the marketplace\u2019s interface.<\/p>\n<p>On February 19, reports appeared on the network about thefts of users\u2019 non-fungible tokens. There were rumours about a $200 million hack, but OpenSea co-founder Devin Finzer denied this. According to him, there is $1.7 million in ETH at the attacker\u2019s address, which he obtained from selling part of the stolen NFTs.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">Importantly, rumors that this was a $200 million hack are false. The attacker has $1.7 million of ETH in his wallet from selling some of the stolen NFTs.<\/p>\n<p>\u2014 Devin Finzer (dfinzer.eth) (@dfinzer) <a href=\"https:\/\/twitter.com\/dfinzer\/status\/1495273300876042240?ref_src=twsrc%5Etfw\">February 20, 2022<\/a><\/p><\/blockquote>\n<p> <script async=\"\" src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>According to Finzer, the incident affected at least 32 users. PeckShield analysts published a list of stolen NFTs; the document lists 253 items. Among these assets are tokens from Bored Ape Yacht Club, Azuki, CloneX, Mutant Ape Yacht Club and others.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">Here is the list of NFTs stolen in <a href=\"https:\/\/twitter.com\/opensea?ref_src=twsrc%5Etfw\">@opensea<\/a> phishing incident<a href=\"https:\/\/t.co\/s9OmiJu2m3\">https:\/\/t.co\/s9OmiJu2m3<\/a> <a href=\"https:\/\/t.co\/xE1tFJnDMK\">pic.twitter.com\/xE1tFJnDMK<\/a><\/p>\n<p>\u2014 PeckShieldAlert (@PeckShieldAlert) <a href=\"https:\/\/twitter.com\/PeckShieldAlert\/status\/1495281343927767040?ref_src=twsrc%5Etfw\">February 20, 2022<\/a><\/p><\/blockquote>\n<p> <script async=\"\" src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<div class=\"wp-block-text-wrappers-update-2 article_update\"><time class=\"gtb_text-wrappers_update_time\">21 February 2022 | 11:20<\/time><span class=\"gtb_text-wrappers_update_head\">Update: <\/span><\/p>\n<p>OpenSea narrowed the list of those affected from 32 to 17. It now includes users whose NFTs were stolen.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">1) We\u2019ve narrowed down the list of impacted individuals to 17, rather than the previously mentioned 32. Our original count included anyone who had *interacted* with the attacker, rather than those who were victims of the phishing attack.<\/p>\n<p>\u2014 OpenSea (@opensea) <a href=\"https:\/\/twitter.com\/opensea\/status\/1495625884514066433?ref_src=twsrc%5Etfw\">February 21, 2022<\/a><\/p><\/blockquote>\n<p> <script async=\"\" src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>According to the marketplace, in the last 15 hours the attacker&#8217;s address has been inactive. The investigation continues, according to OpenSea representatives.<\/p>\n<\/div>\n<p>The OpenSea investigation is not yet complete, but the company has already drawn some conclusions. According to Finzer, the project team is confident that the tokens were stolen as a result of a phishing attack outside the platform. <\/p>\n<p>The co-founder of the marketplace <a href=\"https:\/\/twitter.com\/dfinzer\/status\/1495302786811981825?s=20&#038;t=f8-ry1B-Lw9lpM0MtRBrqw\">emphasized<\/a> that the company ruled out the following attack vectors:<\/p>\n<ul class=\"wp-block-list\">\n<li>a breach of OpenSea&#8217;s mail server;<\/li>\n<li>compromise of the platform&#8217;s website, including tools for buying, selling or listing items;<\/li>\n<li>compromise of the new Wyvern 2.3 smart contract;<\/li>\n<li>compromise of the token-migration tool to the new contract.<\/li>\n<\/ul>\n<p>Finzer explained that the attacker has already stopped the attack. He pledged to share information about the incident with users as the investigation progresses.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">While the attacker stopped >4 hours ago, our investigation is ongoing. We\u2019ll keep you updated as we learn more about the exact nature of the phishing attack. If you have specific information that could be useful, please DM <a href=\"https:\/\/twitter.com\/opensea_support?ref_src=twsrc%5Etfw\">@opensea_support<\/a>.<\/p>\n<p>\u2014 Devin Finzer (dfinzer.eth) (@dfinzer) <a href=\"https:\/\/twitter.com\/dfinzer\/status\/1495302792554024964?ref_src=twsrc%5Etfw\">February 20, 2022<\/a><\/p><\/blockquote>\n<p> <script async=\"\" src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>PeckShield also reported that tokens were stolen during the phishing attack. Experts say users were sent fake messages about migrating NFTs to a new smart contract. After signing the transaction, the link contained in the emails led to the theft of assets.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">Though unconfirmed, the <a href=\"https:\/\/twitter.com\/opensea?ref_src=twsrc%5Etfw\">@opensea<\/a> hack is most likely phishing. Users authorize the \u201cmigration\u201d as instructed in the phishing email and the authorization unfortunately allows the hacker to steal the valuable NFTs\u2026 <a href=\"https:\/\/t.co\/Fj5d9ImC2r\">pic.twitter.com\/Fj5d9ImC2r<\/a><\/p>\n<p>\u2014 PeckShield Inc. (@peckshield) <a href=\"https:\/\/twitter.com\/peckshield\/status\/1495211650860785665?ref_src=twsrc%5Etfw\">February 20, 2022<\/a><\/p><\/blockquote>\n<p> <script async=\"\" src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u201cThe only question left for OpenSea is whether there was a data leak of user information (for example, email addresses) that allowed the phishing to proceed,\u201d PeckShield added.<\/p>\n<\/blockquote>\n<p>EthHub co-founder and co-author <a href=\"https:\/\/u1f987.com\/en\/news\/ethereums-london-hard-fork-goes-live\">EIP-1559<\/a> Eric Conner suggested that the attack on the marketplace could have looked like this:<\/p>\n<ul class=\"wp-block-list\">\n<li>Four weeks ago, the attacker prepared a phishing attack or a smart contract;<\/li>\n<li>Since then, he coerced victims into signing valid orders and permissions;<\/li>\n<li>The hacker did not use them, believing the attack would be noticed quickly;<\/li>\n<li>The migration to the new contract prompted him to wrap up the scam.<\/li>\n<\/ul>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">So, the approvals were done legit on opensea by those exploited but the signatures they signed gave the hacker access to fill malicious orders.<\/p>\n<p>\u2014 Eric \u2310\u25e8-\u25e8 (@econoar) <a href=\"https:\/\/twitter.com\/econoar\/status\/1495215825002786816?ref_src=twsrc%5Etfw\">February 20, 2022<\/a><\/p><\/blockquote>\n<p> <script async=\"\" src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>A developer using the handle 0xfoobar warned that a single malicious signature could rug all of your OpenSea NFTs on the platform.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">A single malicious signature can rug *all* of your approved OpenSea NFTs. No need to sign an individual sell order for each one, as originally assumed.<\/p>\n<p>This is how today\u2019s hacker stole 10 Azukis, 8 mfers, and 3 mutant apes in a single transaction, with a single sig. <a href=\"https:\/\/t.co\/kJQgidthFM\">pic.twitter.com\/kJQgidthFM<\/a><\/p>\n<p>\u2014 foobar (@0xfoobar) <a href=\"https:\/\/twitter.com\/0xfoobar\/status\/1495324659604144131?ref_src=twsrc%5Etfw\">February 20, 2022<\/a><\/p><\/blockquote>\n<p> <script async=\"\" src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>He believes the phishing attack was carried out several weeks ago, the attacker decided to finish it before the expiry of the old listing lists. 0xfoobar explained that all stolen tokens were minted on the first version of the contract.<\/p>\n<p>The developer advised users to revoke any permissions granted to OpenSea. He stressed that the platform\u2019s code contains no vulnerabilities.<\/p>\n<p>In February 2022, Binance chief Changpeng Zhao <a href=\"https:\/\/u1f987.com\/en\/news\/cz-warns-binance-clients-about-a-large-scale-phishing-sms-campaign\">warned clients about a sweeping phishing campaign<\/a>.<\/p>\n<p>Read ForkLog&#8217;s bitcoin news on our <a href=\"\/\/telegram.me\/forklog\" target=\"\u201c_blank\u201d\" rel=\"\u201cnofollow\u201d noopener\">Telegram<\/a> \u2014 cryptocurrency news, prices and analysis.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The NFT marketplace OpenSea has launched an investigation into rumors of an exploit related to its smart contracts. The company said this was a phishing attack \u2014 no issues on the platform&#8217;s side have been found.<\/p>\n","protected":false},"author":1,"featured_media":58134,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1154,1213,1265],"class_list":["post-58133","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-crimes","tag-nft","tag-opensea"],"aioseo_notices":[],"amp_enabled":true,"views":"29","promo_type":"1","layout_type":"1","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/58133","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/comments?post=58133"}],"version-history":[{"count":1,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/58133\/revisions"}],"predecessor-version":[{"id":58135,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/58133\/revisions\/58135"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media\/58134"}],"wp:attachment":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media?parent=58133"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/categories?post=58133"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/tags?post=58133"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}