‘Hacker’ Steals NFTs ‘Worth’ Millions From Opensea Marketplace

‘Hacker’ Steals NFTs ‘Worth’ Millions From Opensea Marketplace
Image: The Thief

Web3, the famously decentralised internet technology that has centralised much of the NFT marketplace into a single shopfront (Opensea), woke over the weekend to find that some of its user’s wallets had reportedly been compromised, and loads of precious NFTs stolen.

The alarm was sounded yesterday, when some users began noticing that some NFTs — including some Bored Ape Yacht Club and Mutant Ape Yacht Club jpgs — were missing from their wallets. Aside from the fact it appears to have been the work of a single person (or at least a single account) that’s all we know for sure at time of posting. How all that stuff went missing, and just how much the heist is “worth”, are two of the particulars still up in the air.

Opensea co-founder and CEO Devin Finzer says the site is fine, and that “as far as we can tell” those affected were the victims of a “phishing attack”

Other users, though, aren’t so sure. Some victims say they never opened any emails, and that the only thing they all had in common was that they had manually migrated their collections to a new smart contract on the platform (a move that was itself implemented because it “fixes an issue with inactive listings that was allowing scammers to swipe valuable NFTs from collectors on OpenSea”):

Also unknown is the exact dollar value of what was stolen. While of course it’s impossible to put a definitive pricetag on stolen NFTs, since everybody outside the cult would say they’re valued at “nothing”, estimates on the “worth” of the heist among these dorks range from the ludicrous ($US200 ($278) million) to much more modest sums (Finzer himself says “The attacker has $US1.7 ($2) million of ETH in his wallet from selling some of the stolen NFTs”). A third possibility is that the attacker actually made off without around $US2.9 ($4) million, which they were able to do by selling the stolen NFTs on…Opensea.

And this isn’t even the wildest part! Somehow, for some reason, the attacker didn’t just steal, they also in some instances…gave back? Like Robin Hood, only if Robin Hood had no idea what he was doing. As the wonderful Web 3 Is Going Just Great report:

It was later determined that an attacker had successfully phished 32 OpenSea users into signing a malicious contract, which allowed the attacker to take the NFTs and then flip them. Bizarrely, the hacker returned some of the NFTs to their original owners, and one victim inexplicably received 50 ETH ($US130,000 ($180,466)) from the attacker as well as some of his stolen NFTs back.

Remember: the entire point of the blockchain, as the cult’s acolytes will only too gladly tell you, is that it’s immovable and eternal, and that everything that happens leaves an immutable mark. Shit like this isn’t supposed to happen, because the blockchain is so much secure than the existing internet!

And yet! Here we are. With users either falling for a phishing attack like your grandparents trying to score a cheap flight to Florida on Facebook, or being the victims of a basic site vulnerability on one of the most centralised locations on a supposedly decentralised technology. Kill me.


  • “ALL OF US ONLY HAVE ONE THING IN COMMON. ” – your caps lock is broken…?

    Also, yer all f#$kin idiot chumbies for spending real money on NFTs, so well deserved lesson! 😀

    • That tweet really doesn’t leave one with a lot of confidence that he’d either recognise or remember a phishing email if he did get one.

      I’ve talked to many people over the years who swore blind that they never received something even though there are photos and/or a signature to prove it.

      I mean, that email from ebay with the pdf receipt attached, it was obviously just a corrupted attachment because I clicked and literally nothing happened. No root kits at all. In fact, I forgot about it almost as soon as I closed and deleted the email because it’s not like I needed to keep records for my tax or something and it wasn’t even clear which of the half a dozen things I bought from ebay this month it was even for.

      • Yeah in a place i used to work at we would send out fake Phishing emails once a year to check who in the company is vulnerable and needs further training. One year we managed to snag the CEO of the company lol, That was a very awkward phone call. People will fall for even some of the most obvious phishing emails.

Show more comments

Log in to comment on this story!