Nexo

Start Earning Up to 16% Interest Automatically

Learn More
Home » Analysis » OpenSea NFT Hack Exposes Web3 Self-Custody Risks

OpenSea NFT Hack Exposes Web3 Self-Custody Risks

by

Multiple OpenSea users had their NFTs swiped from their Ethereum wallets last night. Despite rumors of an exploit, OpenSea insists that a phishing attack is likely the root cause.

OpenSea NFT Hack Exposes Web3 Self-Custody Risks
Shutterstock cover by Zorik Galstyan

Key Takeaways

  • A hacker stole hundreds of NFTs from OpenSea users last night.
  • While a post-mortem report has not yet been published, OpenSea team has claimed that the hacker executed a phishing attack to steal the NFTs.
  • The incident is yet another reminder of the risks of self-custody in Web3.

Share this article

The hacker stole hundreds of high-value NFTs from sought-after collections like Bored Ape Yacht Club, Azuki, and NFT Worlds. 

OpenSea Users Targeted in NFT Hack 

A hacker stole millions of dollars worth of NFTs from OpenSea users last night. 

The attacker targeted an estimated 32 collectors on the top NFT marketplace and drained their Ethereum wallets. On-chain data posted by Peckshield shows that they stole over 250 pieces from high-value collections like Bored Ape Yacht Club, Doodles, Azuki, and NFT Worlds. Based on the floor prices for the collections, Crypto Briefing estimated the total haul to be worth over 1,000 Ethereum, or $3 million. The attacker’s wallet currently contains 641 Ethereum worth around $1.7 million, as well as a selection of the stolen NFTs. 

News of the attack first surfaced on Twitter late Saturday when users reported suspicious activity tied to their accounts. It was initially rumored that the exploit was linked to a smart contract that OpenSea users have been migrating their NFTs to over recent weeks. However, OpenSea pointed to a likely phishing attack. 

The team took to Twitter early Sunday to announce that it was “actively investigating” the rumors and that “a phishing attack outside of OpenSea’s website” was the probable cause. OpenSea CEO Devin Finzer said that the team was “running an all hands on deck investigation” and that the 32 affected users had suffered from a phishing attack. Earlier this morning, Finzer reiterated his belief that it was a phishing attack. “We have confidence that this was a phishing attack,” he wrote. The security analytics firm PeckShield also investigated the incident and shared the view that a phishing scam was likely the root cause. 

NFT Hack Exposes Web3 Risks 

Though a full post-mortem analysis is yet to be published, the Ethereum users foobar and isotile posted tweet storms detailing the attacker’s probable moves. On-chain data shows that they deployed a smart contract on Jan. 22 that used a call to OpenSea’s contract. It’s thought that they tricked users into signing a transaction that transferred their NFTs to the hacker’s wallet, likely by sending out an email that replicated the ones OpenSea sends out. Once they had duped a sufficient number of NFT collectors into signing the malicious transaction, they executed the attack to drain their wallets. While a phishing attack is still yet to be confirmed, the incident exposes the risks of using Web3, where signing any malicious Ethereum transaction can have disastrous consequences.

In recent months, many Bored Ape Yacht Club holders have lost their high-value NFTs in similar attacks after signing away their assets. As NFTs have attracted mainstream interest and their prices have soared, hackers have increasingly turned to the space to target collectors. Most of the affected OpenSea users have fallen victim to phishing attacks that tricked them into signing malicious contracts. For all of the benefits of self-custody wallets and decentralization, such attacks raise questions about whether crypto and NFTs are truly ready for mass adoption. Even when crypto holders use a hardware wallet to store their assets, they are not necessarily protected against smart contract scams. For collectors, NFT hacks like this one are a reminder of the importance of taking caution at all times in Web3, especially when it comes to checking emails and signing transactions. 

Disclosure: At the time of writing, the author of this feature owned ETH and several other cryptocurrencies. 

Share this article

The information on or accessed through this website is obtained from independent sources we believe to be accurate and reliable, but Decentral Media, Inc. makes no representation or warranty as to the timeliness, completeness, or accuracy of any information on or accessed through this website. Decentral Media, Inc. is not an investment advisor. We do not give personalized investment advice or other financial advice. The information on this website is subject to change without notice. Some or all of the information on this website may become outdated, or it may be or become incomplete or inaccurate. We may, but are not obligated to, update any outdated, incomplete, or inaccurate information.

Crypto Briefing may augment articles with AI-generated content created by Crypto Briefing’s own proprietary AI platform. We use AI as a tool to deliver fast, valuable and actionable information without losing the insight - and oversight - of experienced crypto natives. All AI augmented content is carefully reviewed, including for factural accuracy, by our editors and writers, and always draws from multiple primary and secondary sources when available to create our stories and articles.

You should never make an investment decision on an ICO, IEO, or other investment based on the information on this website, and you should never interpret or otherwise rely on any of the information on this website as investment advice. We strongly recommend that you consult a licensed investment advisor or other qualified financial professional if you are seeking investment advice on an ICO, IEO, or other investment. We do not accept compensation in any form for analyzing or reporting on any ICO, IEO, cryptocurrency, currency, tokenized sales, securities, or commodities.

See full terms and conditions.