A threat actor has allegedly stolen over $2 million from customers of the OpenSea non-fungible token (NFT) trading platform after launching a phishing attack against the marketplace. Researcher at Check Point stated that the attack occurred earlier this week, when OpenSea published an article about an upcoming contract upgrade, inspiring the attackers to design a phishing attack leveraging the news. Users were reportedly required to migrate their listings on Ethereum to a new smart contract. The email contained instructions on how to follow the new order.
Threat actors saw an opportunity in the shift and stepped in, creating a similar email containing a malicious link that sent targets to a convincing phishing page. The page then asked the user to sign a transaction. After signing the transaction, an atomicMatch request was sent to the target. From there, atomicMatch would be forwarded to the OpenSea contract. Due to the fact that atomicMatch is responsible for all of the trading on OpenSea with minimal trust, the transaction will only take place if certain parameters are met. Therefore, it was possible for the attackers to steal a victim’s entire NFT library on the site via one fraudulent transaction.
Read More: OpenSea Phisher Stole $2m Worth of NFTs