The co-founder and CEO of Opensea, Devin Finzer, has disputed rumours that the NFT marketplace has been hacked. He described the purported hacking event as a “phishing assault,” which he says is unrelated to Opensea’s website. He revealed that NFTs have been taken from more than 30 users who “signed a malicious payload from an attacker.” Finzer did not provide an estimate for the worth of the stolen NFTs. Finzer and Opensea’s phishing assault allegation was challenged by another user called Jacob King.
#OpenSea is now lying and claiming the exploit was actually just phishing emails people were receiving.
This is 100% not true, but rather a flaw in their code which led to one of the largest #NFT exploits in history. pic.twitter.com/qGRq0MaFT1
— Jacob King (@JacobOracle) February 20, 2022
OpenSea has stated that the team hasn’t noticed any malicious activity from the attacker’s account in over the last 15 hours, thus the attack doesn’t appear to be active at this time. Some NFTs have already been returned.
2) The attack does not appear to be active at this time. There has been no activity on the malicious contract in >15 hours.
— OpenSea (@opensea) February 21, 2022
Finzer also indicated that the Opensea team was unaware of any recent phishing emails sent to subscribers. CEO also stated that the team had yet to identify the website that had been “tricking people into maliciously signing messages.”
Our leadership, engineering, and security teams are communicating with affected users to gather details. We continue to believe that this is a phishing attack that originated outside of https://t.co/3qvMZjxmDB. ↯
— OpenSea (@opensea) February 20, 2022
Finzer concludes his discussion by denying allegations that this was a $200 million hack. The Opensea team established that “the attacker had $1.7 million in ETH in his wallet by selling some of the stolen NFTs,” he said.
As far as we can tell, this is a phishing attack. We don’t believe it’s connected to the OpenSea website. It appears 32 users thus far have signed a malicious payload from an attacker, and some of their NFTs were stolen.
— Devin Finzer (dfinzer.eth) (@dfinzer) February 20, 2022
He went on to say that Opensea was now “working with individuals whose stuff were taken to narrow down a collection of common websites with which they interacted that could have been responsible for the bad signatures.”
1) We’ve narrowed down the list of impacted individuals to 17, rather than the previously mentioned 32. Our original count included anyone who had *interacted* with the attacker, rather than those who were victims of the phishing attack.
— OpenSea (@opensea) February 21, 2022
Recently, the OpenSea team has identified 17 impacted individual accounts who are victims of phishing attacks.
