World's largest NFT (non-fungible token) marketplace, OpenSea on Sunday confirmed that it has been hit by a phishing attack and at least 32 users had lost their valuable NFTs worth $1.7 million.
OpenSea Co-Founder and CEO, Devin Finzer acknowledged the phishing attack, confirming that 32 users have lost NFTs so far.
He said rumours that this was a $200 million hack are false and the attacker "has $1.7 million of ETH (Ethereum) in his wallet from selling some of the stolen NFTs.
While the NFT marketplace was yet to figure out the magnanimity of the cyber attack, Blockchain investigator Peckshield said he suspects a possible leak of user information (including email ids) that fuelled the phishing attack.
"We are actively investigating rumours of an exploit associated with OpenSea related smart contracts. This appears to be a phishing attack originating outside of OpenSea's website," the NFT marketplace posted in a tweet.
The hack happened as OpenSea announced a new smart contract upgrade with a one-week deadline to delist inactive NFTs on the platform.
The smart contract upgrade required users to migrate their listed NFTs from ETH blockchain to a new smart contract.
Within hours after OpenSea's upgrade announcement, reports across multiple sources emerged about an ongoing attack that targets the soon-to-be-delisted NFTs.
"We don't believe it's connected to the OpenSea website. It appears 32 users so far have signed a malicious payload from an attacker, and some of their NFTs were stolen," Finzer posted.
The OpenSea CEO urged affected users to directly message him on Twitter.
The phishing attack on NFT marketplace occurred as the UK tax authority last week seized three NFTs as part of a probe into a 1.4 million pounds (nearly $1.9 million) fraud case, the BBC reported on Monday.
The authority said it was the first UK law enforcement to seize an NFT.
Her Majesty's Revenue and Customs also seized 5,000 pounds worth of crypto assets ($6,762) alongside three NFT artworks, which have yet to be valued.