OpenSea, a leading marketplace for NFTs, is investigating
the “rumours of an exploit” involving smart contracts connected to
its platform following an outbreak of panicked tweets from traders who lost valuable
tokens.

On Saturday night US hours, OpenSea tweeted that “We are
actively investigating rumours of an exploit associated with OpenSea related
smart contracts. This appears to be a phishing attack originating outside of
OpenSea’s website. Do not click links outside of opensea.io.”

Also Read | Russian authorities clash over crypto regulation: Report

A hacker swiped millions of dollars worth of non-fungible tokens on OpenSea Saturday evening, sending a tizzy over the nascent market for these tokens.

It is not yet clear if the assets were stolen via break stemming from a deficiency in OpenSea’s platform or a phishing attack.

Also Read | Tesla to accept Dogecoin as payment at Supercharging station, reveals Elon Musk

Co-founder Devin Finzer tweeted that the company was
still probing the incident, adding they believed it originated from a “phishing
attack”.

He said it appears 32 users thus far have signed a
malicious payload from an attacker, and some of their NFTs were stolen”.
The company is not aware of any recent phishing emails that have been sent to
users, added Finzer and suggested a fraudulent website may be to blame. He
suggested impacted users reach out to the firm via Twitter support.

Also Read | Ukraine passes bill to legalise cryptocurrency amid tensions with Russia

OpenSea planned to release a new smart contract (the code
governing its trading platform) on Friday. By upgrading the contract, old,
inactive listings would eventually expire on the platform.

Traders shared what they originally believed was official
OpenSea emails about the migration process from contract A to contract B on
Twitter.

Also Read | Federal Bank arm FedFina files DRHP with SEBI for IPO

According to PeckShield, a blockchain security company
that audits smart contracts, the rumoured exploit was “most likely phishing” –
a malicious contract hidden in a disguised link. The company stated that the
same mass email about the migration process was one of the possible sources of
the link.

The apparent attacker’s address owns around $1.7 million
worth of ETH, as well as three tokens from the Bored Ape Yacht Club, two Cool
Cats, one Doodle and one Azuki. The address has already been slapped with the
“phish/hack” warning badge by blockchain explorer website Etherscan.

Also Read | Sebi proposes to tighten IPO pricing rules for new-age tech companies

OpenSea is one of the largest platforms for NFT trading,
backed by Andreessen Horowitz and actor Ashton Kutcher. It recently raised at a
valuation topping $13 billion.