News

Developers are investigating an exploit that steals NFTs from OpenSea users

Last month, the media reported that unidentified hackers were stealing NFTs from users of the OpenSea marketplace. Then the researchers reported that the problem was related to a bug and re-listing of NFTs for sale. For example, users can put an NFT up for sale, and then cancel the listing, update it, and list the lot at the new price.

However, it appears that the old listing with the original price could still be accessed through the OpenSea API, even if it was removed from the portal itself.

As a result, hackers “bought” valuable NFTs at bargain prices with the help of a bug, and then resold them for much more. For example, in one case, a scammer bought an NFT for $1,775 and then immediately resold it for almost $200,000.

As Vice Motherboard now reports, the administration of OpenSea returned the money to many users, but some received full compensation, while others were offered to compensate only 2.5% of the site commission received from the sale of NFTs. According to journalists, over the past ten days, OpenSea has reimbursed the victims about $1 million.

It remains unclear what the company’s criteria are for redressing damages, and why the situations of different people are so different. OpenSea said it does not comment on specific cases related to customer support.

Worse, attacks on users are still ongoing, and now a warning flaunts on the main page of the marketplace that reads:

We are actively investigating rumors of an exploit related to OpenSea smart contracts. This appears to be a phishing attack that does not come from OpenSea. Don’t click on links outside of opensea.io.

Also, users are advised to switch to a new smart contract, which eliminates the same problem with old, but still available ads. Since the bug seems to have been fixed, some users are suggesting that attackers are now facilitating phishing attacks by luring victims to a page that is supposedly related to switching to a new smart contract.

According to Vice Motherboard, scammers have now been able to transfer many NFTs from different users to their address. Among other things, NFTs were stolen from such popular collections as Bored Ape Yacht Club and Mutant Ape Yacht Club.

The attackers have already sold part of the NFT: for example, an item from the Azuki collection went for 13.4 ETH ($36,380 at the time of sale). As a result, the hackers’ wallet already contains more than 600 ETH, that is, almost $2 million.

Interestingly, in some cases, scammers return stolen goods. So, in one case, they stole a lot of NFTs from one user, including a valuable BAYC NFT. The hackers returned all NFTs to the victim, except for the mentioned BAYC, which is currently frozen due to suspicious activity.

Let me remind you that we also reported that NFTs may reveal users’ IP addresses.

You may also be interested in the information that Exploit appeared for a critical vulnerability in Magento, and Adobe fixed a second similar bug.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)
Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Recent Posts

Remove Pbmsoultions pop-up ads (Virus Removal Guide)

Pbmsoultions.com is a domain that tries to trick you into clik to its browser notifications…

1 day ago

Remove Prizestash pop-up ads (Virus Removal Guide)

Prizestash.com is a site that tries to trick you into subscribing to its browser notifications…

1 day ago

Remove Verifiedbreaking pop-up ads (Virus Removal Guide)

Verifiedbreaking.com is a domain that tries to force you into subscribing to its browser notifications…

1 day ago

Remove Themoneyminutes pop-up ads (Virus Removal Guide)

Themoneyminutes.com is a domain that tries to force you into subscribing to its browser notifications…

1 day ago

Remove News-xcidizi pop-up ads (Virus Removal Guide)

News-xcidizi.com is a domain that tries to trick you into clik to its browser notifications…

1 day ago

Remove Everytraffic-flow pop-up ads (Virus Removal Guide)

Everytraffic-flow.com is a domain that tries to trick you into subscribing to its browser notifications…

1 day ago