'Hacker' Steals NFTs 'Worth' Millions From Opensea Users

The thief then, for whatever reason, gave some stuff back to victims

Please right click this image
Image: The Thief

Web3, the famously decentralised internet technology that has centralised much of the NFT marketplace into a single shopfront (Opensea), woke over the weekend to find that some of its user’s wallets had reportedly been compromised, and loads of precious NFTs stolen.

The alarm was sounded yesterday, when some users began noticing that some NFTs—including some Bored Ape Yacht Club and Mutant Ape Yacht Club jpgs—were missing from their wallets. Aside from the fact it appears to have been the work of a single person (or at least a single account) that’s all we know for sure at time of posting. How all that stuff went missing, and just how much the heist is “worth”, are two of the particulars still up in the air.

Advertisement

Opensea co-founder and CEO Devin Finzer says the site is fine, and that “as far as we can tell” those affected were the victims of a “phishing attack”

Advertisement
Advertisement

Other users, though, aren’t so sure. Some victims say they never opened any emails, and that the only thing they all had in common was that they had manually migrated their collections to a new smart contract on the platform (a move that was itself implemented because it “fixes an issue with inactive listings that was allowing scammers to swipe valuable NFTs from collectors on OpenSea”):

Advertisement

Also unknown is the exact dollar value of what was stolen. While of course it’s impossible to put a definitive pricetag on stolen NFTs, since everybody outside the cult would say they’re valued at “nothing”, estimates on the “worth” of the heist among these dorks range from the ludicrous ($200 million) to much more modest sums (Finzer himself says “The attacker has $1.7 million of ETH in his wallet from selling some of the stolen NFTs”). A third possibility is that the attacker actually made off without around $2.9 million, which they were able to do by selling the stolen NFTs on...Opensea.

Advertisement

And this isn’t even the wildest part! Somehow, for some reason, the attacker didn’t just steal, they also in some instances...gave back? Like Robin Hood, only if Robin Hood had no idea what he was doing. As the wonderful Web 3 Is Going Just Great report:

It was later determined that an attacker had successfully phished 32 OpenSea users into signing a malicious contract, which allowed the attacker to take the NFTs and then flip them. Bizarrely, the hacker returned some of the NFTs to their original owners, and one victim inexplicably received 50 ETH ($130,000) from the attacker as well as some of his stolen NFTs back.

Advertisement

Remember: the entire point of the blockchain, as the cult’s acolytes will only too gladly tell you, is that it’s immovable and eternal, and that everything that happens leaves an immutable mark. Shit like this isn’t supposed to happen, because the blockchain is so much secure than the existing internet!

And yet! Here we are. With users either falling for a phishing attack like your grandparents trying to score a cheap flight to Florida on Facebook, or being the victims of a basic site vulnerability on one of the most centralised locations on a supposedly decentralised technology.

Advertisement

While we’re on the subject, if the words “Opensea” and “art theft” ring a bell, it might be because of reports from various outlets—like this one, from The Guardian last month—detailing the practice of bots stealing work from sites like DeviantArt and selling it on Opensea without the artist’s knowledge or permission.