Pirates Go Phishing On The OpenSea Marketplace, Raid Over $1.7M From Users

pirates of the opensea

Pirates Go Phishing On The OpenSea Marketplace, Raid Over $1.7M From Users

In what is turning into a continuing theme for 2022, attackers have stolen hundreds of NFTs from 32 OpenSea accounts valued at over $1.7 million by taking advantage of a weakness in the smart contract network that supports OpenSea.

By Andrew Senior
February 21st, 2022




Devin Finzer, CEO of OpenSea, pointed to a phishing attack as the culprit and provided a link to a Twitter thread containing additional details. The attack, which occurred during the morning of Sunday February 21, was achieved by convincing the 32 targeted accounts to sign a partial Wyvern order, the open-source standard that supports most NFT contracts, that was in reality an empty shell granting general authorization allowing the scammers to complete orders with a call to their own, transferring ownership of the NFTs without any payment.



“For more technical context, this thread [below] is consistent with our current internal understanding. — Devin Finzer (dfinzer.eth) (@dfinzer) February 20, 2022″



While initial explanations for the theft pointed to technical issues, human behaviour in the form of phishing now seems to be the cause. The OpenSea user Neso, who was the first to call attention to the smart contract exploit, posted that,


“I checked every [transaction], they all have valid signatures from the people who lost NFTs so anyone claiming they didn’t get phished but lost NFTs is sadly wrong.”


A litany of questions remain in the wake of the latest scam, from how the attack started, how the OpenSea users were convinced by the scammers to sign an empty contract granting account access to a third party, to what safeguards will be put in place to protect from future attacks. Finzer is insisting to users that the attacks originated from outside the company’s website, but the scale, efficiency, and overall speed of the attack suggest there is more at play.

Several OpenSea users and multiple independent security researchers have highlighted a contract migration OpenSea is pushing through as the loophole that made the attack possible, duplicating a template email from OpenSea and subsequently resending it to the victims.



The story has continued to develop with several odd turns. Several hours after the successful attack, some of the NFTs that were stolen were returned to their original owners, with one victim receiving an additional 50 Ethereum tokens along with their missing NFT. Now 1,115 Ethereum associated with the heist has been transferred to a cryptocurrency tumbler, a service that mixes potentially identifiable or “tainted” cryptocurrency funds with others, obscuring any trail back to the fund’s original source.



Disclaimer: The information above does not constitute investment, financial, trading or any other sort of advice and you should not treat any of the content on this site such. We do not recommend the purchase, sale, or holding of any cryptocurrency or other product. None of our content should be deemed as an offer to purchase, sell, or hold a cryptocurrency or other product or service. Please consider doing your own research and prioritize consulting a certified financial professional before making any investment decisions.