This past Saturday, a slew of OpenSea users found that their accounts had been hacked. Rumors that $200 million worth in NFTs had been stolen quickly circulated, and OpenSea users flocked on Twitter asking for support and clarification.
In the following days, the hack was confirmed to be much smaller than previously thought. Only 17 users lost tokens—254 of them, to be exact, estimated to be worth a collective $1.7 million value. According to a spreadsheet compiled by the blockchain security service PeckShield, NFTs by the Bored Ape Yacht Club, Azuki, Doodles, and CloneX were among the stolen assets.
Though initially thought to be a hack that had compromised OpenSea itself, it was determined that the theft came from a phishing attack that involved the use of emails to spread malicious links made to look as if they come from legitimate sources. OpenSea is currently in the process of updating its smart contract system. The hackers appear to have taken advantage of these circumstances.
The hackers sent out emails to OpenSea users asking them to clink a link that would allow them to migrate their listings to this new contract system. By clicking on this malicious link, users unwittingly gave the hackers the ability to transfer ownership of any assets they wanted from the victim’s Ethereum wallets. The technicalities of this attack were explained Twitter user Neso in a thread which OpenSea CEO Devin Finzer retweeted.
The OpenSea team identified which Ethereum address belonged to the hacker, and in a confusing twist, it seems that the hacker has returned some of the NFTs The OpenSea team is monitoring the address and its actions, according to tweets by Finzer.
Though the hack allegedly only affected 17 OpenSea users, many users are still not sure if they were compromised in this attack or other ones.
One user who goes by ufoguytwitch initially thought he had been a victim in the phishing attack. “But I don’t know anymore,” he wrote via direct message. “I got hacked a week before OpenSea revealed what happened and they still haven’t responded my initial complaint.”
Another user, who goes by donshrimp_, is in a similar position. He was also hacked and lost assets, but isn’t sure if it was through the phishing attack. “I don’t know what to do,” he wrote in a direct message. He said OpenSea hadn’t contacted him or replied to his complaints.
OpenSea users have repeatedly complained that OpenSea’s support team isn’t responsive enough to support tickets. A representative for the platform declined to comment.
It is not yet known if OpenSea will compensate victims in some way or seek legal recourse against the hacker. Currently, OpenSea is being sued for negligence by user Timothy McKimmy, who lost a Bored Ape Yacht Club NFT in a phishing attack earlier this February. Though Coindesk reported that the lawsuit was filled with errors, the platform could still face a negligence charge. Meanwhile, OpenSea had to reimburse users $1.8 million—a small sum for a company valued at $13 billion—after a bug on the site made it possible for bad actors to forcibly buy NFTs at a fraction of their value, reported Fortune.