OpenSea says it is “actively investigating rumors of an exploit” that occurred on the popular Ethereum NFT marketplace Saturday. Users reported that digital assets, including NFTs from the Cool Cats and Doodle collections, had been stolen.
But co-founder and CEO Devin Finzer tweeted that the exploit likely didn’t hit OpenSea at all—but instead targeted the people who rely on the marketplace to trade and maintain their digital assets.
“As far as we can tell, this is a phishing attack,” he tweeted midway through the investigation. “We don’t believe it’s connected to the OpenSea website. It appears 32 users thus far have signed a malicious payload from an attacker, and some of their NFTs were stolen.”
In other words, people may have received official-looking emails that tricked them into moving their NFTs into someone else’s wallet. That address, which blockchain explorer EtherScan has labeled Fake_Phishing5169, now has a balance of 641 ETH worth over $1.7 million.
If Finzer’s thesis is correct, the attacker(s) picked an optimal time to go phishing. On Friday, OpenSea released a new smart contract and asked users to migrate their holdings. Ironically, the new smart contract came about to prevent a different type of exploit—one which saw holders unwittingly sell their assets at bargain-basement prices.
Finzer urged users to make sure they were always using the official opensea.io website and to be on the lookout for fishy emails.