On Saturday, a phishing attack targeted 17 users of OpenSea, one of the major NFT markets, according to the company. The hack apparently resulted in the theft of over 250 NFTs worth at least $1.7 million.
A nonfungible token, or NFT, is a way of proving ownership of a digital asset. NFTs linked to digital art have been increasingly popular in recent months, owing to the involvement of high-profile personalities.
The attacker, or attackers, stole NFTs from OpenSea users over a 3-hour window on Saturday by compromising the underlying code that allows NFTs to be bought and sold.
OpenSea tweeted late Sunday that the attack didn't appear to be active, with the most recent action 15 hours before. Nadav Hollander, the CTO of OpenSea, also provided a technical breakdown of the phishing attack.
Phishing attacks are frequently carried out using emails that contain harmful links and fraudulently purport to be from a company. It's still unknown how OpenSea customers were lured into the phishing scam.
While the identity of the wallet's owner can be hidden in digital wallets used to keep NFTs, the transactions of digital assets on a blockchain are normally public. As a result, anyone with technical knowledge can track the NFTs from wallet to wallet.
OpenSea CEO Devin Finzer in a post on Twitter on Saturday after the attack stated, "The attacker has $1.7 million of ETH in his wallet from selling some of the stolen NFTs."
The hacker also appears to have returned some of the NFTs to the original owners.
OpenSea tweeted on Sunday that the investigation into Saturday's phishing attack is still ongoing. OpenSea's CTO, Nadav Hollander, posted a Twitter thread summarising the company's current understanding of the attack, which the company believes did not originate from OpenSea.
Hollander said, "All of the malicious orders contain valid signatures from the affected users, indicating that they did sign an order somewhere, at some point in time. However, none of these orders were broadcasted to OpenSea at the time of signing."