OpenSea CEO Devin Finzer has responded to an apparent phishing scam that targeted its users in a US$1.7 million theft of popular non-fungible tokens (NFTs) such as Bored Ape Yacht Club and Azuki. 

Fast facts

  • “As far as we can tell, this is a phishing attack. We don’t believe it’s connected to the OpenSea website. It appears 32 users thus far have signed a malicious payload from an attacker, and some of their NFTs were stolen,” the NFT marketplace chief tweeted on Sunday.
  • The phishing attack hooked over 640ETH (US$1.7 million) in assets from 32 users, as NFTs have been located in a wallet now labeled Fake_Phishing5169.
  • The suspicious address also made transactions on rival marketplaces LooksRare and Rarible.
  • A phishing attack is the practice of sending out fraudulent communications posing as an official source with the intent to deceive users into disclosing sensitive information.
  • The attack coincided with the release of a new smart contract Wyvern 2.3, designed to prevent a different type of exploit, and OpenSea was asking users to migrate their listings at the time.
  • “The attack doesn’t appear to be active at this point — we haven’t seen any malicious activity from the attacker’s account in 2 hours. Some of the NFTs have been returned,” Finzer tweeted.