Hundreds of nonfungible tokens have been stolen from NFT marketplace OpenSea with a value of at least $1.7 million.

The theft took place between 5 p.m. and 8 p.m. EST on Saturday and involved 32 users. According to a tweet Saturday by Devin Finzer, co-founder and chief executive of OpenSea, the thefts involved a phishing attack, as affected users signed a malicious payload from an attacker.

Those affected are said to have received fake emails from the attacker purporting to be official emails from OpenSea asking them to migrate their Ethereum listings to a new smart contract. To complicate matters further, OpenSea is actually in the process of asking users to migrate their NFTs from the Ethereum blockchain to a new smart contract, making the emails seem to be legitimate.

Though unconfirmed, the @opensea hack is most likely phishing. Users authorize the "migration" as instructed in the phishing email and the authorization unfortunately allows the hacker to steal the valuable NFTs… pic.twitter.com/Fj5d9ImC2r

— PeckShield Inc. (@peckshield) February 20, 2022

Once targeted OpenSea users clicked on the email, they were persuaded to sign a malicious contract that allowed the attacker to take their NFTs and flip them, according to a site called “Web3 is going just great.”

After stealing the NFTs, the unknown hacker then sold some but also returned some to their rightful owners, along with some Ethereum raised from the theft. As of the last reports, the hacker held $1.7 million in their Ethereum wallet along with three tokens from the Bored Ape Yacht Club, two Cool Cats, one Doodle and one Azuki.

The theft of the NFTs has raised security concerns with web3. Cryptobriefing notes that many Bored Ape Yacht Club holders have lost their high-value NFTs in similar attacks after signing away their assets in recent months. “As NFTs have attracted mainstream interest and their prices have soared, hackers have increasingly turned to the space to target collectors,” the report noted.

Notably, phishing attacks have been a common attack vector in previous theft of NFTs. But not all theft and issues have been phishing-related alone.

In January, it was reported that hackers were exploiting a bug in OpenSea to purchase NFTs at steeply discounted prices and then flip them. The issue involved allowing some users to move their NFTs off the marketplace and avoid delisting fees, but the listing would stay available on the application programming interface back end for OpenSea.

That web3 and NFT holders are being targeted on OpenSea is not surprising given the surge in popularity of NFTs in general and also OpenSea itself. The company raised $300 million in new funding on a valuation of $13.3 billion on Jan. 4. It was noted at the time that the valuation is remarkable and also reflective of the mania surrounding NFTs.

Image: OpenSea