OpenSea co-founder and CEO, Devin Finzer, has denied rumours that its Non-Fungible Token (NFT) marketplace was hacked and that attackers had stolen $200 million. According to Finzer, an investigation had shown that the attacker had $1.7 million worth of Ether in his wallet by leveraging a phishing scheme.
Finzer has characterised the alleged hacking incident as a “phishing attack,” which he insists is not connected to OpenSea’s website. He did, however, admit that 32 users who “signed a malicious payload from the attacker” had their NFTs stolen.
However, Peck Shield, a blockchain security company that aims to elevate the security, privacy, and usability of the entire blockchain ecosystem, tweeted that the OpenSea hacker has made use of Tornado Cash to wash 1,100 Ether, which at today’s price, amounts to $3.03 million. The firm also released a list of NFTs stolen in the attack. According to the list, a total of 253 NFTs have been stolen between the 19th and 20th of February 2022.
Finzer did a thread on Twitter, explaining some facts of the alleged hack. He stated, “As far as we can tell, this is a phishing attack. We don’t believe it’s connected to the OpenSea website. It appears 32 users thus far have signed a malicious payload from an attacker, and some of their NFTs were stolen.
“The attack doesn’t appear to be active at this point — we haven’t seen any malicious activity from the attacker’s account in 2 hours. Some of the NFTs have been returned.
“We are not aware of any recent phishing emails that have been sent to users, but at this time we do not know which website was tricking users into maliciously signing messages.
“Always double-check that you are interacting with https://opensea.io in your browser when you sign messages. If you are an affected user, please DM @opensea_support so that we can thoroughly investigate — we’d love your help.”
While Finzer did not give the estimated value of the stolen NFTs, a Twitter user named Mr. Whale suggested in a tweet, posted a few hours after the breach, that “over $200M lost already.” Mr. Whale tweeted, “BREAKING: Massive OpenSea “exploit” in their new migration contract allowed users to sell, steal any NFT from any users.”
Another user named Jacob King rejected Finzer and OpenSea’s phishing attack claim. The user claims that a “flaw in their code led to one of the largest NFTs exploits in history.” Jacob tweeted, “OpenSea is now lying and claiming the exploit was actually just phishing emails people were receiving. This is 100% not true,” alongside an image of the alleged flaw in the code of the platform.
In another thread, Finzer said after his team got in touch with “dozens” of people and teams across the NFT space, and he is confident this was a phishing attack. He added that OpenSea was now actively “working with users whose items were stolen to narrow down a set of common websites that they interacted with that might have been responsible for the malicious signatures.”
