A phishing attack on Saturday impacted 17 users of OpenSea, one of the largest NFT marketplaces, the company confirmed on Monday. Over 250 NFTs were reportedly stolen in the attack, worth at least $1.7 million.
A NFT, or nonfungible token, is a method of certifying ownership of a digital asset. NFTs linked to digital art have become popular in recent months as high-profile celebrities have jumped on the trend.
Get the CNET Now newsletter
Spice up your small talk with the latest tech news, products and reviews. Delivered on weekdays.
During a roughly 3-hour window on Saturday, the attacker, or attackers, were able to steal the NFTs from OpenSea users by exploiting the underlying code that allows NFTs to be bought and sold.
Late on Sunday, OpenSea tweeted that the attack didn’t appear to be active, with the last activity occurring 15 hours prior. OpenSea CTO Nadav Hollander also shared a detailed technical rundown of the phishing attack.
Phishing attacks often occur though emails containing malicious links falsely claiming to be from a company. It’s still unclear exactly how OpenSea users were drawn into this phishing scheme, but Hollander tweeted that “it appears the attack was made from outside OpenSea.”
While digital wallets used to hold NFTs can conceal the identity of the wallet’s owner, the transactions of digital assets on a blockchain are generally public. So anyone with the technical know-how can follow the NFTs from wallet to wallet.
“The attacker has $1.7 million of ETH in his wallet from selling some of the stolen NFTs,” said OpenSea CEO Devin Finzer in a post on Twitter on Saturday after the attack. The hacker also appears to have returned some of the NFTs to the original owners.
The investigation into Saturday’s phishing attack is still ongoing, OpenSea tweeted on Sunday.