OpenSea, the hub of blockchain, announced that they are investigating a scam targeting users of its non-fungible tokens (NFTs) platform. As per CEO, Devin Finzer; the hacker(s) carried out a phishing attack to steal several NFTs and had already sold a few for ethereum worth $1.7 million.
The phishing attack on OpenSea
Devin confirmed that the hacker had tricked 32 victims into signing a malicious payload that authorized the transfer of their NFTs to the attacker for free. While the company is confident that this was a phishing attack, he explained that they didn’t know where the phishing had occurred.
For more technical context, this thread (https://t.co/oHGgA3wLHP) is consistent with our current internal understanding.
— Devin Finzer (dfinzer.eth) (@dfinzer) February 20, 2022
CEO Devin Finzer shared – an explainer thread describing the phishing attack – on Twitter, the user described that the attack had the victims signing half of a Wyvern order, referencing an open-source standard typically used in NFT smart contracts. The order was effectively empty except for call data and a target of the attacker’s contract, with the victim signing half while the attacker signed the other. After signing, the attacker calls their own contract listed in the double-signed order, which then starts the process of transferring the victim’s NFTs to the attacker.
OpenSea launches customer support to fight scammers
Just a few days back, Metalink – OpenSea and NFT communications platform – announced a new partnership aimed at preventing social engineering attacks carried out through Discord DMs. OpenSea’s head of community Stevey Tromberg said in a statement; “Our goal is to create a direct channel for you to interact with OpenSea to get support, offer feedback, receive updates, and to share any other information that will help us better serve you.”