February 19th, around 5pm, Opensea users were stunned to find certain wallets were being drained of valuable NFTs in an apparent phishing attack.
Suspicions quickly rose that an exploited flexibility in the Wyvern Protocol was responsible, however the more likely explanation seems to be a phishing attack using the emails sent out by Opensea to onboard users to their new contract.
Twitter users quickly stepped to the speculative occasion, tracing the transactions and watching the activity. Over an hour after the attacks began, Opensea put out a statement urging users to avoid clicking links outside of Opensea, and they claim to be investigating the phishing attacks. In a tweet by user foobar, a detailed explanation is given of how the attack took place, however, many are still waiting to hear from Opensea.
At the time of writing this article, 254 tokens have been stolen, including the likes of Bored Ape Yacht Club, Azuki and Decentraland. The attacker(s) have 1.7 Million of Eth from sales of stolen NFTs in their wallet.
In response to this, the twitter community quickly urged users to head to etherscan to revoke all permissions, and in Spaces, there was much talk of alternative platforms for NFT trading. Nifty Gateway is one to take note of, with their trading platform set to launch early this year. An announcement on their website shares “Using existing Nifty Gateway infrastructure, we’ve built an experience that will allow you to buy and sell NFTs directly with your Ethereum wallet, while spending significantly less (up to 75% less!) on gas fees than you do on other marketplaces.” You can sign up for email updates on their website to receive news of this rollout.
Check back for updates this story unfolds.