Fraudsters made another haul on Saturday when they stole 254 NFTs from the platform, including those issued by Decentraland and Bored Ape Yacht Club, according to blockchain security firm PeckShield.
It is thought threat actors exploited a glitch in the Wyvern Protocol, the technology that facilitates peer-to-peer exchange of NFTs, to trick legitimate owners into signing away the rights to their tokens without receiving payment.
The devious nature of the scam meant its victims were duped into putting their own digital signatures on the NFT transfers, essentially falling for a phishing attack. “I checked every transaction,” said one user going by the name of Neso, recently quoted in a report by the Verge. “They all have valid signatures from the people who lost NFTs, so anyone claiming that they didn’t get phished is sadly wrong.”
Confusion over victims and perpetrators
The thinking behind the attackers’ methodology – including getting victims to sign NFT smart contracts that were only half filled in – and the origins of the attack itself have yet to be fully explained. And, according to a statement it published on Twitter earlier today, OpenSea appears none the wiser at time of writing.
“Our team has been working around the clock to investigate the specific details of this phishing attack,” it said. “While we haven’t yet determined the exact source, we’ve narrowed down the list of impacted individuals to 17, rather than the previously mentioned 32. Our original count included anyone who had interacted with the attacker, rather than those who were victims of the phishing attack.”
An industry under siege
This kind of incident is nothing new for OpenSea, which, though valued at $13 billion and considered an integral part of the blockchain industry, has seen its platform repeatedly raided by scammers using outdated contracts or poisoned tokens – malware disguised as NFTs.
More from Cybernews:
Subscribe to our newsletter