OpenSea CEO confirms hacker has stolen $1.7 million in NFTs

Blockchain analysis company PeckShield has discovered 254 non-fungible tokens (NFTs) were stolen as a result of an unknown attack.

OpenSea confirmed the attack, with CEO Devin Finzer tweeting that the hacker had made $1.7 million from selling the NFTs, but stressed that rumours that “this was a $200 million hack are false.”

PeckShield states that at least 254 NFTs were stolen, however, some of them have since been returned.

Mintable, OpenSea’s rival platform, found and purchased three of the NFTs on NFT marketplace LooksRare and is looking to return them to their owners.

It’s probable that the hacker misled the victims into signing partial digital contracts sanctioning the trades using a phishing email, and then completed the contract to transfer the stolen tokens to an address which they controlled.

This comes after OpenSea published an article about their planned contract migration. The hackers allegedly took advantage of the upgrade process and used it to scam NFT users by using the same email from OpenSea and resending it to the OpenSea victims.

OpenSea’s chief technical officer Nadav Hollander said that 32 users having their NFTs stolen over a “relatively short time period…suggests a targeted attack as opposed to a systemic issue.”

Cyber security group Check Point Research (CPR) said that they saw “that the wallet had over $2 million worth of Ethereum, at one point, from selling some of the stolen NFTs.” However, Check Point Research have said that it has since gone to over $3 million.

Oded Vanunu, head of products vulnerability research at Check Point Software, advised: “Many websites and projects request a permanent access to your NFTs by sending you a transaction to sign. This transaction will give the websites/projects access anytime they want to your NFT unless you un-approve the transaction. Signing a transaction is similar to giving someone permission to access all your NFTs and cryptocurrencies.”

He added that NFT users should “pay extra attention to where and when you sign a transaction. We don’t recommend clicking on links from emails no matter who the sender is, always try to find the same information on the website provider.”