Investigations showed that NFTs were stolen from users via phishing emails before being moved to OpenSea’s new smart contract. The attackers acquire access to the NFTs after a user allows the migration via the phishing email.
OpenSea, an online non-fungible token marketplace, has begun investigating exploit reports, claiming in a recent tweet that it has most likely been the target of a fishing assault. After it was revealed that a hacker stole millions of dollars worth of non-fungible tokens, the NFT community was ablaze with conjecture earlier today.
The firm announced the introduction of a new improved smart contract on Saturday, inviting customers to move their listings without incurring gas fees before the deadline on Feb. 25. The hacker, on the other hand, has opted to take advantage of the update by using legitimate-looking phishing emails to dupe customers into handing over their NFTs. Users are advised not to click any links outside of the official website, according to the business.
PeckShield, a blockchain security startup, has disclosed the full list of NFTs taken by the malicious attacker. They’re worth around $3 million in total.
How the urgency and short deadline helped the hacker
Due to the urgency and short timeframe, hackers had a narrow window of opportunity. Within hours of OpenSea’s upgrade announcement, various sources began reporting on an ongoing attack on the soon-to-be-delisted NFTs.
Further analysis indicated that the NFTs were stolen via phishing emails before being moved to OpenSea’s new smart contract. The attackers acquire access to the NFTs after a user allows the migration via the fake email.
Users should be weary of all emails from OpenSea and revoke all rights related to the migration to the new smart contract.
Devin Finzer, co-founder and CEO of OpenSea, confirmed that 32 users had lost NFTs as a result of the phishing assault. While the NFT marketplace has yet to decipher the ongoing phishing campaign, blockchain investigator Peckshield suspects a probable loss of user data (including email addresses) that is fueling the ongoing phishing attack.
“If you are concerned and want to protect yourself, you can un-approve access to your NFT collection.”
Three NFTs were confiscated by Her Majesty’s Revenue and Customs (HMRC), the UK’s principal tax department, in connection with a suspected tax evasion scheme.
According to reports, the suspects built 250 counterfeit “shell” firms and utilized fictitious identities to escape 1.4 million British pounds (approximately $1.8 million) in value-added taxes.