OpenSea, a flagship NFT platform, has revealed the exact number of users who had their tokens stolen by a recent attacker. Also, its CTO explains why any crypto holder should be super-vigilant when clicking "Allow" in Metamask.
17 users affected, attackers have ceased their activity
Per the statement shared on the official OpenSea Twitter account, the first results of an investigation have already proven that all involved were victims of a phishing attack, not of the platform's codebase flow.
The list of victims was narrowed down to 17 accounts instead of 32. The "long list" included individuals who somehow interacted with the attacker contract but did not lose their tokens.
OpenSea noticed that no activity has been demonstrated by the attackers in the last 15 hours.
On Feb. 20, 2022, the scammers started sending phishing emails impersonating the OpenSea team. Checkpoint cybersecurity experts revealed that the attackers made victims authorize an Atomic Match_ request responsible for NFT transfer logics on OpenSea.
Then, the attacker re-sent the same request to a legit OpenSea account; due to its specific, mentioned interaction—signed by the NFT owner—it resulted in sending all of the victim's tokens to the attacker.
Check out a "Web3 technical education" thread from OpenSea CTO
By press time, net losses of victims are estimated at $1.7 million. During the attack, there were false statements on Crypto Twitter about a "$200 million" scam.
Nadav Hollander, the founder of Dharma DeFi protocol and CTO of OpenSea stressed that this attack would change the way Web3 enthusiasts treat signing off-chain messages:
Education on not sharing seed phrases or submitting unknown transactions has become more widespread in our space. However, signing off-chain messages requires equal consideration.
He added that OpenSea is migrating to a safer contract type in order to reduce the possibility of such attacks and keep all users "alerted" about unusual on-chain events.