Threat actors stole at least $1.7M worth of NFTs from tens of OpenSea users

Threat actors have stolen and flipped high-valued NFTs from the users of the world’s largest NFT exchange, OpenSea.

The world’s largest NFT exchange, OpenSea on Sunday confirmed that tens of some of its users have been hit by a phishing attack and had lost valuable NFTs worth $1.7 million.

The phishing attack was confirmed by OpenSea Co-Founder and CEO, Devin Finzer, he also added that 32 users have lost NFTs.

The analysis of the attacker’s walled revealed it contained $1.7 million of ETH (Ethereum) obtained by selling some of the stolen NFTs. Finzer pointed out that the company doesn’t believe the hack is connected to the OpenSea website.

“Blockchain records show that the attacker was able to transfer numerous NFTs from different users to their address for free. Stolen NFTs included examples from the Bored Ape Yacht Club, Mutant Ape Yacht Club, and several other popular collections. The attacker has already sold some of the NFTs, for example, this NFT from the Azuki collection for 13.4 ETH ($36,380). The attacker’s wallet currently contains more than 600 ETH worth nearly $2 million.” reported Motherboard.

According to the Blockchain security firm Peckshield the threat actors behind the OpenSea hack used TornadoCash fully decentralized protocol for private transactions on Ethereum to wash 1,100 ETH (approximately $2.7 million)

According to PeckShield, threat actors may have launched a phishing campaign using the migration process as bait.

OpenSea is investigating rumors of an exploit associated with OpenSea related smart contracts that may have been exploited by attackers.

The attack was linked to the announcement of the marketplace of a new smart contract upgrade with a one-week deadline aimed at delisting inactive NFTs on the platform.

In order to upgrade the smart contract, users have to migrate their listed NFTs from ETH blockchain to a new smart contract. However, impacted users started reporting suspicious activities within hours after the upgrade announcement.

Finzer asked impacted users to get in contact with him via Twitter DM.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, NFT)

[adrotate banner=”5″]

[adrotate banner=”13″]