OpenSea NFT Hack Exposes Web3 Self-Custody Risks

Key Takeaways

A hacker stole hundreds of NFTs from OpenSea users last night.
While a post-mortem report has not yet been published, OpenSea team has claimed that the hacker executed a phishing attack to steal the NFTs.
The incident is yet another reminder of the risks of self-custody in Web3.

Share this article

The hacker stole hundreds of high-value NFTs from sought-after collections like Bored Ape Yacht Club, Azuki, and NFT Worlds. 

OpenSea Users Targeted in NFT Hack 

A hacker stole millions of dollars worth of NFTs from OpenSea users last night. 

The attacker targeted an estimated 32 collectors on the top NFT marketplace and drained their Ethereum ( $1,356.70 ) wallets. On-chain data posted by Peckshield shows that they stole over 250 pieces from high-value collections like Bored Ape Yacht Club, Doodles, Azuki, and NFT Worlds. Based on the floor prices for the collections, Crypto Briefing estimated the total haul to be worth over 1,000 Ethereum ( $1,356.70 ) , or $3 million. The attacker’s wallet currently contains 641 Ethereum ( $1,356.70 ) worth around $1.7 million, as well as a selection of the stolen NFTs. 

News of the attack first surfaced on Twitter late Saturday when users reported suspicious activity tied to their accounts. It was initially rumored that the exploit was linked to a smart contract that OpenSea users have been migrating their NFTs to over recent weeks. However, OpenSea pointed to a likely phishing attack. 

We are actively investigating rumors of an exploit associated with OpenSea related smart contracts. This appears to be a phishing attack originating outside of OpenSea’s website. Do not click links outside of

— OpenSea (@opensea) February 20, 2022

The team took to Twitter early Sunday to announce that it was “actively investigating” the rumors and that “a phishing attack outside of OpenSea’s website” was the probable cause. OpenSea CEO Devin Finzer said that the team was “running an all hands on deck investigation” and that the 32 affected users had suffered from a phishing attack. Earlier this morning, Finzer reiterated his belief that it was a phishing attack. “We have confidence that this was a phishing attack,” he wrote. The security analytics firm PeckShield also investigated the incident and shared the view that a phishing scam was likely the root cause. 

NFT Hack Exposes Web3 Risks 

Though a full post-mortem analysis is yet to be published, the Ethereum ( $1,356.70 ) users foobar and isotile posted tweet storms detailing the attacker’s probable moves. On-chain data shows that they deployed a smart contract on Jan. 22 that used a call to OpenSea’s contract. It’s thought that they tricked users into signing a transaction that transferred their NFTs to the hacker’s wallet, likely by sending out an email that replicated the ones OpenSea sends out. Once they had duped a sufficient number of NFT collectors into signing the malicious transaction, they executed the attack to drain their wallets. While a phishing attack is still yet to be confirmed, the incident exposes the risks of using Web3, where signing any malicious Ethereum ( $1,356.70 ) transaction can have disastrous consequences.

In recent months, many Bored Ape Yacht Club holders have lost their high-value NFTs in similar attacks after signing away their assets. As NFTs have attracted mainstream interest and their prices have soared, hackers have increasingly turned to the space to target collectors. Most of the affected OpenSea users have fallen victim to phishing attacks that tricked them into signing malicious contracts. For all of the benefits of self-custody wallets and decentralization, such attacks raise questions about whether crypto and NFTs are truly ready for mass adoption. Even when crypto holders use a hardware wallet to store their assets, they are not necessarily protected against smart contract scams. For collectors, NFT hacks like this one are a reminder of the importance of taking caution at all times in Web3, especially when it comes to checking emails and signing transactions. 

Disclosure: At the time of writing, the author of this feature owned ETH and several other cryptocurrencies. 

Share this article

The information on or accessed through this website is obtained from independent sources we believe to be accurate and reliable, but Decentral Media, Inc. makes no representation or warranty as to the timeliness, completeness, or accuracy of any information on or accessed through this website. Decentral Media, Inc. is not an investment advisor. We do not give personalized investment advice or other financial advice. The information on this website is subject to change without notice. Some or all of the information on this website may become outdated, or it may be or become incomplete or inaccurate. We may, but are not obligated to, update any outdated, incomplete, or inaccurate information.

You should never make an investment decision on an ICO, IEO, or other investment based on the information on this website, and you should never interpret or otherwise rely on any of the information on this website as investment advice. We strongly recommend that you consult a licensed investment advisor or other qualified financial professional if you are seeking investment advice on an ICO, IEO, or other investment. We do not accept compensation in any form for analyzing or reporting on any ICO, IEO, cryptocurrency, currency, tokenized sales, securities, or commodities.

See full terms and conditions.

The Top Five NFT Marketplace Alternatives to OpenSea

OpenSea became the go-to NFT marketplace during the technology’s 2021 boom. However, the platform’s high fees, centralized model, and recent listing issues have driven collectors to seek out alternative options…

What is a Crypto Airdrop: Why Projects Airdrop Crypto

Crypto airdrops occur when new tokens are freely distributed to different wallets in order to drive initial growth and build a community. They represent a popular marketing tactic that new projects use to spread…

OpenSea Scores Another Own Goal With Bad Advice for Users

OpenSea has told users to urgently cancel inactive listings on their NFTs to prevent opportunists from buying them at a fraction of their value. Unfortunately, OpenSea’s advice was poorly thought…

NFT Opportunists Are Making a Mint Through an OpenSea Bug

Collectors of high-value NFT collections are inadvertently selling their assets at huge discounts due to an OpenSea listing bug.  Blue Chip NFTs Lost Due to OpenSea Bug A bug on…


Recommended For You

About the Author: cryptomaster

Leave a Reply

Your email address will not be published.