In a recent phishing scheme, 254 NFTs that have a $1.7 million value in Ethetreum cryptocurrency were stolen from 32 OpenSea users. NFTs are Non-Fungible Tokens that have become extremely popular. NFTs represent a certificate of ownership over a form of digital media using the digital ledger of blockchain. However, that doesn’t prevent people from being able to swindle others out of NFTs.
Typically, phishing refers to a fake message sent out and meant to trick people into giving out personal information like logins and passwords or even credit card details.
This specific attacker was able to use the flexible nature of the Wyvern Protocol that’s used by crypto commerce platforms like OpenSea, which is the largest NFT marketplace at the moment.
The phishing scheme saw users signing a partial contract that was then completed by the attacker and gave them access to ownership of the NFTs, including ones from Bored Ape Yacht Club and Decentraland. Then, the attacker would be able to sell them.
The attack can be described as similar to the original owners signing a blank check, and then the attackers were able to fill in the details and cash in. OpenSea was actually in the process of updating its current contract system when the attack happened, taking advantage of a vulnerability in the system.
Molly White of “Web3 is going great” blog, the attacker actually returned a few NFTs to their owners and gave one victim 50 Ethereum (worth $130,000). The attacker also transferred 1115 ETH (worth $2.9 million) that was obtained from the phishing attack.
Many of the details of the attack are not yet known, and on Twitter, OpenSea CEO Devin Finzer said: “We’ll keep you updated as we learn more about the exact nature of the phishing attack If you have specific information that could be useful, please DM @opensea_support.”