Activity on OpenSea, the world’s largest marketplace for digital collectibles, likely dropped precipitously after a phishing attack that saw traders lose as much as an estimated $3 million.
Trading in nonfungible tokens plummeted in recent days, according to data provider DappRadar. OpenSea’s seven-day trading volume was down 37% as of Tuesday, DappRadar found.
An unidentified hacker stole 254 tokens from OpenSea users by sending a malicious email asking to transfer their assets to a new contract. Around 17 traders signed the contract, which effectively acted as a blank check, giving the hacker access to all of the NFTs stored on their wallet.
Some of those assets have since been sold, netting the perpetrator a hefty gain. Devin Finzer, OpenSea’s chief executive officer, valued the total amount stolen at $1.7 million on Sunday, but researchers since have valued the pile at anywhere between $2 million and $3 million. Among the stolen NFTs included four Bored Apes, three of which were later sold on rival platform LooksRare for a combined $667,000, according to data from blockchain security service PeckShield.
The number of traders using OpenSea dropped by 19%, to about 227,272 over the seven days ended Tuesday, per DappRadar. Over that period, trading volume on LooksRare plunged nearly 65%, while volume on BloctoBay rose by more than 215%, according to DappRadar.
OpenSea disputed the data provided by DappRadar, adding in a statement: “For more accurate and complete data, please refer to Dune Analytics.”
OpenSea said on Monday that the attacker’s crypto wallet has gone quiet since the theft, with no transaction activity spotted in the last 24 hours.
The marketplace’s Chief Technology Officer Nadav Hollander said the incident demonstrated a need for more awareness about the security issues surrounding off-chain signatures among NFT traders. There were no flaws found in ongoing contract migration by OpenSea that could have caused the attack, but the process opened a window of opportunity for the perpetrator to fool their victims by closely mimicking OpenSea’s communications on the matter.
1) Sharing a technical run-down of the phishing attacks targeting @OpenSea users, including some web3 technical education.
— Nadav Hollander (@NadavAHollander) February 20, 2022