Opensea, the world’s largest NFT marketplace, has entered choppy waters after a phishing attack reeled in dozens of users.
“As far as we can tell, this is a phishing attack. We don’t believe it’s connected to the OpenSea website,” tweeted co-founder and chief executive Devin Finzer. “It appears 32 users thus far have signed a malicious payload from an attacker, and some of their NFTs were stolen.”
Non-fungible tokens (NFTs) are effectively digital receipts which record the ownership of items, such as collectible images, tweets and even physical items, on the blockchain.
In a series of tweets Finzer denied rumours that $200m of NFTs were stolen and claimed that the hacker has just $1.7m in their wallet address from selling some of the items.
Blockchain security company PeckShield has identified a phishing e-mail, purportedly from the Opensea team, as the source of the attack. The message reportedly contains a link which authorises the hacker to steal NFTs from the user’s account.
PeckShield has amassed a list of 254 NFTs which it claims were stolen during the attack. The list includes four Bored Ape Yacht Club NFTs, one of the most expensive collections available on Opensea with a floor price of 92 ETH (£177,608), and approximately 37 Azuki NFTs, a project with a floor price of 13.5 ETH.
Today’s attack is not the first scandal to hit Opensea, which recently hit a valuation of $13bn. In January the marketplace reimbursed users for $1.8m after a bug allowed high-value NFTs to be sold well below market value.