Malicious actors took advantage of a smart contract upgrade process in the OpenSea NFT marketplace to carry out a phishing attack against 17 of its users that resulted in the theft of virtual assets worth about $1.7 million.
NFTs, short for non-fungible tokens, are digital tokens that act like certificates of authenticity for, and in some cases represent ownership of, assets that range from expensive illustrations to collectibles and physical goods.
The opportunistic social engineering scam swindled the users by using the same email from OpenSea notifying users about the upgrade, with the copycat email redirecting the victims to a lookalike webpage, prompting them to sign a seemingly legitimate transaction, only to steal all the NFTs in one go.
"By signing the transaction, an atomicMatch_ request would be sent to the attacker contract," Check Point researchers explained. "From there, the atomicMatch_ would be forwarded to the OpenSea contract," leading to the transfer of the NFTs from the victim to the attacker.
OpenSea's "Wyvern" smart contract migration, which commenced on February 18 over a seven-day period until February 25 at 2:00 PM ET, is part of the New York City-based firm's efforts to address old, existing inactive listings on the Ethereum blockchain.
The company said it's still investigating the exact source of the attack, noting that the malicious orders had been signed by the victims before OpenSea carried out its migration. "The attack no longer seems to be active, but we are continuing to monitor. We have not seen activity from the attacker's wallet in >36 hours," OpenSea said in an update.
"Signing a transaction is similar to giving someone permission to access all your NFT's and cryptocurrencies," Check Point said. "This is why signing is very dangerous. Pay extra attention to where and when you sign a transaction."
The development also comes as cybercriminals are exploiting the growth in popularity of NFTs to trick victims into downloading the BitRAT remote access trojan malware that's capable of stealing browser credentials, mining cryptocurrency, and harvesting sensitive information.