Hundreds of NFTs stolen from OpenSea wallets - here's what you need to know

CryptoKitties NFT
(Image credit: CryptoKitties)

Hundreds of non-fungible tokens (NFTs) have been stolen from the accounts of OpenSea users after a series of successful phishing attacks, it has emerged.

The NFT marketplace was alerted to the issue over the weekend when a handful of customers discovered tokens missing from their wallets. Word of the incident quickly spread, causing a stir in the NFT community.

In an attempt to calm the panic, OpenSea chief executive Devin Finzer took to Twitter, explaining that the attacks were not the result of a security vulnerability in the platform, but rather a phishing campaign targeting NFT owners.

TechRadar needs you!

We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time. Thank you for taking part.

>> Click here to start the survey in a new window <<

A list compiled by blockchain security company PeckShield suggests that more than 250 NFTs were stolen, including items from popular collections such as Bored Ape Yacht Club. Although some have since been recovered, wallet analysis shows the stolen tokens have earned the attacker roughly $1.7 million in sell-on value.

OpenSea NFTs stolen

NFTs are representations of digital properties such as images or videos, often described as digital collectibles. What makes them different from traditional collectibles (for example, Fortnite skins) is that each NFT has a distinct signature that demonstrates its uniqueness and allows for ownership of the associated asset to be verified and traced.

Once the playtoy of an enthusiast minority, NFTs now change hands for many millions of dollars over platforms like OpenSea, which is itself valued at $13 billion.

Inevitably, the valuations of the NFTs exchanged over OpenSea and the notoriety of the marketplace have attracted increased attention from hackers. In the last few months, the company has had to close off security bugs that allowed hackers to purchase NFTs for well below value and create malicious tokens that could drain the crypto wallets of victims.

Now, OpenSea is facing down another security issue, the details of which still remain murky.

“Our team has been working around the clock to investigate the specific details of this phishing attack,” explained OpenSea via its official Twitter account.

“We’ve narrowed down the list of impacted individuals to 17, rather than the previously mentioned 32. Our original count included anyone who had interacted with the attacker, rather than those who were victims of the phishing attack.”

However, the precise mechanism of the attack remains unclear. Early signs point towards a manipulation of the Wyvern Protocol on which most NFT smart contracts are built. According to a Twitter thread referenced by Finzer, the attacker tricked the victims into signing half of a Wyvern order, allowing for their NFTs to be transferred to a new wallet without payment.

Finzer says there is no evidence the affected users had been targeted via email, and the identity of the website used to facilitate the attack remains a mystery.

The advice for concerned OpenSea users is to “double check you are interacting with opensea.io in your browser when you sign messages” and to “un-approve access to your NFT collection” via Etherscan.

TechRadar Pro has asked OpenSea whether it has plans to put in place measures to prevent users from falling victim to similar phishing scams in future.

Joel Khalili
News and Features Editor

Joel Khalili is the News and Features Editor at TechRadar Pro, covering cybersecurity, data privacy, cloud, AI, blockchain, internet infrastructure, 5G, data storage and computing. He's responsible for curating our news content, as well as commissioning and producing features on the technologies that are transforming the way the world does business.

Read more
Smartphone with new logo X twitter app background. Application twitter old blue bird change X black and white new.
Phishing campaign targets prominent X users, accounts at risk
A digital themed isometric showing a neon padlock in the foreground, and a technological diagram of a processor logic board in the background.
LastPass 2022 hack fallout continues with millions of dollars more reportedly stolen
Bitcoin
Fake Ledger data breach emails used to trick victims into giving up recovery phrases
Pirate skull cyber attack digital technology flag cyber on on computer CPU in background. Darknet and cybercrime banner cyberattack and espionage concept illustration.
Microsoft reveals over a million PCs hit by malvertising campaign
Ethereum
Hackers steal over $1bn in one of the biggest crypto thefts ever
Abstract image of cyber security in action.
MassJacker malware targets those looking for pirated software
Latest in Security
Data Breach
Thousands of healthcare records exposed online, including private patient information
China
Juniper patches security flaws which could have let hackers take over your router
Representational image depecting cybersecurity protection
GitLab has patched a host of worrying security issues
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.
AI agents can be hijacked to write and send phishing attacks
China
Volt Typhoon threat group had access to American utility networks for the best part of a year
Abstract image of cyber security in action.
MassJacker malware targets those looking for pirated software
Latest in News
Super Mario Odyssey
ChatGPT is the ultimate gaming tool - here's 4 ways you can use AI to help with your next playthrough
Ray-Ban smart glasses with the Cpperni logo, an LED array, and a MacBook Air with M4 next to ecah other.
ICYMI: the week's 7 biggest tech stories from Twitter's massive outage to iRobot's impressive new Roombas
Brad Pitt looks over his right shoulder with &#039;F1&#039; written behind him
Apple Original Films will take you behind-the-scenes of a racing cockpit in this new thrilling F1 movie trailer
AI writer
Coding AI tells developer to write it himself
Reacher looking down at another character from the Prime Video TV series Reacher
Reacher season 3 becomes Prime Video’s biggest returning show thanks to Hollywood’s biggest heavyweight
Finger Presses Orange Button Domain Name Registration on Black Keyboard Background. Closeup View
I visited the world’s first registered .com domain – and you won’t believe what it’s offering today