Owners of high-value NFTs are having their Opensea-listed assets pulled out from under them by an unknown attacker. Either the new Opensea contract was hacked, or users were hit by a phishing attack. The hacket sent a fake email designed to have people sign half of a valid wyvern order (e.g., the order was basically empty except the target (attacker contract) and calldata) and the attacker signs other half of order.
Any users who interacted with Opensea’s new contracts should revoke the token approvals from Opensea immediately. Etherscan and Revoke.cash both provide interfaces for this, but are experiencing intense server load. Use whichever service will load. The attacker currently holds 641.5 ETH liquid, and many high-ticket NFTs, including 17 Azuki, 3 BAYC, 2 Cool Cats, and 2 Mutant Ape Yacht Clubs. The attacker also pocketed a racial slur ENS name. The loss amount include the values for the high-valued 16 Azuki's and 3 BoredApeYachtClub's estimated at 48 and 177 ETH respectively.
Updated 2/23/22: Loss statistics for @opensea phishing incident:
1. The hacker sold NFTs valued at more than 1,200 Ether (~$3.4m), most of the funds has been deposited to @TornadoCash
2. The hacker returned most of the unsold NFTs to victims
DISCLAIMER: While Zero Friction LLC has used the best efforts in aggregating and maintaining this database, Zero Friction LLC makes no representations or warranties with respect to the accuracy or completeness, and specifically disclaim any implied warranties of merchantability or fitness for any particular purpose.
Under no circumstances, shall Zero Friction LLC be liable for any loss of profit or funds, any regulatory or governmental penalties, any legal costs, or any other commercial and non-commercial damages, including but not limited to special, incidental, consequential, or other damages from any or all usage of the dataset or information derived from our database.