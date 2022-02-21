Key facts: The criminal stole and sold NFTs for more than $1.7 million.

The attack would have been carried out through malicious links sent by email.

The Opensea platform, one of the most popular marketplaces for non-fungible token (NFT) trading on the Ethereum network, is investigating the theft of assets from its users. From what is known so far, a hacker would have deceived dozens of people through emails with malicious links.

According to the Twitter account @tucanalcryptothe attacker I would have sent an email to thousands of Opensea users using the domain team@opensea.io, very similar to the official one used by the platform. In doing so, he would have tricked them into signing a malicious contract, an action purportedly necessary to avoid suspension “of unverified accounts.”

Devin Finzer, one of the co-founders and current CEO of the platform, confirmed the news at midnight on Saturday. Through a post on twitter, assured that “so far, we believe that it is a phishing attack”. In that line, ruled out that the problem has to do with the Opensea siteInstead, 32 users reportedly signed a malicious contract with the attacker, allowing him to seize their NFT collections and steal them.

The supposed phishing email that thousands of Opensea users would have received. Source: Twitter @tucanalcrypto.

In the continuation of that thread, Finzer explained that the attacker’s account had been inactive for at least two hours and even some of the NFTs were returned to their owners. “The rumors about a $200 million hack are false. The attacker has $1.7 million ETH in his wallet after selling some of the stolen NFTs,” he added.

When entering what would be the attacker’s wallet, you can see an alert message about its possible relationship with the event. Additionally, many in and out movements across various tokens can be observed on the morning of Sunday, February 20.

At the time of writing this note, his balance was 3.01 ether (ETH), that is, USD 8,060 approximately according to the current price of the cryptocurrency. However, he came to have much more, as detailed by the user @Jon_HQ in a publication from Twitter.

Regarding emails sent to mislead users, Opensea manager said they are not aware of recent phishing emails nor do they know which site may have been misleading users with malicious messages. In this sense, Finzer recommended always double checking that you are interacting with opeansea.io in the browser when signing messages.

Despite his statements, the alleged malicious email that has been shared on social networks has that domain, which raises questions regarding the information and resources that the hacker had.

Opensea also commented on the episode on social networks. Source: Twitter @opensea.

Opensea receives a heavy blow after changing its smart contract

The NFT trading platform has just changed the version of its smart contract, that is, the smart contract on which the operations on the site are based. The intention of the change, concretized last friday the 18th of February, is to move to a more robust and secure one.

However, despite the company’s efforts to prevent this type of event, an attack left Opensea’s security at the center of the scene. In fact, a user shared on Twitter an advert which, according to him, he would have done on January 21 last reporting a bug that, in any case, would not be linked to the attack reported on the day of the date.

At the moment, there is a lot of information circulating and there are not too many official confirmations from the company. Regarding the technical specifics of the attack, Devin Finzer shared a thread from @nesotual which, according to his vision, is in line with the internal investigation of the Opensea team.

How to prevent a possible theft in NFT?

Because the theft in question relies on signing a malicious smart contract that gives the criminal access to a user’s tokens, a possible solution to the problem is to revoke all permissions granted.

As shared by Devin Finzer in the aforementioned post, this can be done by following this link to Etherscan. Another alternative recommended by Sibling Labs is to use the Revoke Cash tool, which allows you to revoke all access granted by signing a contract with an Ethereum wallet.