This Sunday, February 20th, 2022 started with a general panic on the social networks. If the time is not yet certain, it would be several million dollars in NFT that would have been stolen during the last hours. The NFT Community and the OpenSea team are leading the investigation.
NFT stolen, Opensea adrift
It was on the night of Saturday, February 19 that the alert was launched. A user of the social network Twitter announced that several of his NFTs had been stolen. As part of a recent update, OpenSea asked its users to manually list their NFT collection on a new smart contract. This is where the “hack” seems to take root. This initiative was intended to combat scams and hijacking. It failed.
It was on the night of Saturday 19 February that the alert was launched. A user of the social network Twitter announced that several of his NFTs had been stolen.
It didn’t take long for the cryptosphere and the NFT Community to catch fire. Panic quickly spread as everyone wanted to know if their personal collection was likely to have been stolen. In search of answers and solutions, many theories emerged. Problem directly related to the OpenSea platform? hack? exploit? Some even speculated that it could have been a vindictive employee recently fired. One thing is for sure, many stolen NFTs were instantly sold and the funds were transferred to an address that collected more than 500 ETH in 10 minutes!
Phishing in troubled waters
In the hours following the initial alerts, new hypotheses emerged. Notably one: what if it was just a meticulously prepared phishing -phishing-? When OpenSea invited its users to learn about the contract migration, public announcements were made. And many of them received an email, which contained a malicious link.
The message contained in the email is exactly the same as the one used by OpenSea to present the update. The link refers to a platform identical to the official site where the user must manually migrate his NFT. One click and an authorization later, the victims have unknowingly signed a private sale for the benefit of the hacker.
According to the information gathered, this whole story is a well-prepared coup, and this for several weeks. The swindler would have used a support contract deployed 30 days ago. After collecting several signatures from different victims, he finally took action just before the expiration of the OpenSea lists.
While only a month ago, OpenSea was being publicly scorned after yet another hack, this new failure is setting the debate on fire. If the phishing attack is verified, the real culprit will be the one who signed authorizations without much verification. But if OpenSea’s responsibility is once again proven, it might be time for the platform to take off.