It’s hard to tell if stolen is really the right word, but over the weekend a phishing attack has seen at least 32 users lose NFTs they paid for on the popular trading site, OpenSea.
According to The Verge, most of the attacks took place just last Saturday between 5PM and 8PM ET. The result appears to be about 254 tokens removed from the wallets of those who purchased them on OpenSea. The total value of stolen tokens is said to be over $1.7 million, based on the Ethereum the phishers have gained by selling off the liberated NFTs.
Initially there was panic among the OpenSea community about how the attack took place, but the site’s CEO Devin Finzer has confirmed it’s likely separate from the platform. Instead, it appears to be a bit more like your traditional email phishing scheme but for the NFT space.
All NFTs transfers had technically been signed off using the seller’s unique signatures, but they were likely tripped into filling it out on something inconspicuous, not knowing what it would be used for. It’s a lot like email phishing schemes with fake links to plausible looking websites that steal your passwords.
Finzer states that the account responsible has stopped engaging in any malicious activity and has even given some of the NFTs back. But these have always been a bit of a weird and risky game to get into. One of the most famous NFT swindles saw the Evolved Ape NFT creator run off with $2.7 million in his pocket without delivering on future promises, namely the fighting game that was always meant to accompany the ape avatars.
NFTs also commonly involve stolen art, with people often trading images they’ve just copied off the internet and don’t own any intellectual rights to. The NFT marketplace Cent had to stop transactions due to the rampant counterfeit digital assets, and OpenSea is no stranger to these issues either. The website offers a free tool for users to mint NFTs and had to limit it after finding that over 80% were plagiarism or scams. Many artists have had their works uploaded against their wishes by random users trying to make a quick buck.
If it’s possible to arbitrarily own a jpeg on the internet that’s only purpose is to promote artificial scarcity and sell for profit then I suppose it’s also possible to have it stolen. It’s just hard to tell which of these concepts should actually be considered a crime.