Select Page

Malicious actors took advantage of a smart contract upgrade process in the OpenSea NFT marketplace to carry out a phishing attack against 17 of its users that resulted in the theft of virtual assets worth about $1.7 million.

NFTs, short for non-fungible tokens, are digital tokens that act like certificates of authenticity for, and in some cases represent ownership of, assets that range from expensive illustrations to collectibles and physical goods.

The opportunistic social engineering scam swindled the users by using the same email from OpenSea notifying users about the upgrade, with the copycat email redirecting the victims to a lookalike webpage, prompting them to sign a seemingly legitimate transaction, only to steal all the NFTs in one go.

“By signing the transaction, an atomicMatch_ request would be sent to the attacker contract,” Check Point researchers explained. “From there, the atomicMatch_ would be forwarded to the OpenSea contract,” leading to the transfer of the NFTs from the victim to the attacker.

images from Hacker News