More than two dozen of OpenSea's users have been left without access to their most valuable digital token because of a phish attack. There was panic on the platform when someone stole hundreds of NFTs.
We have confidence that this was a phishing attack. We don’t know where the phishing occurred, but we’ve been able to rule out a number of things based on our conversations with the 32 affected users. Specifically:
— Devin Finzer (dfinzer.eth) (@dfinzer) February 20, 2022
The attacker targeted 32 accounts and obtained 254 token, according to a spreadsheet. The Bored Ape Yacht Club and Azuki collections have their NFTs stolen. Molly White, creator of the Web3 is Going Great blog, estimated the haul at
The co-founder and CEO of OpenSea said in a post early Sunday morning that they have confidence that the attack was a phish.
OpenSea determined that its website was not a target for the attack and that someone did not exploit a previously unknown vulnerability in the platform.
We reached out to OpenSea for comment.
Attacker calls their own contract with calldata including the valid order AND address + transfer calldata for all the NFTs the target has approved on the wyvern (opensea) contract.
— Neso (@Nesotual) February 20, 2022
The attack likely took advantage of the Wyvern Protocol. The open-source standard is used by many Web3 platforms. The partial agreement that allowed the attacker to transfer the NFTs without changing hands may have been signed by those targeted in the campaign. The scenario presented by the thread was in line with our current understanding of the situation.
The attack couldn't have come at a worse time for OpenSea. The company asked people to migrate their assets on Friday after introducing a new smart contract. It has been the subject of recent controversy, starting with an employee who resigned for using insider information to profit on NFT drops, and then more recently over the prevalence of fake, plagiarized orspammed token on its platform.