UPDATE: (10:38 AM Sunday): Early Sunday morning, Finzer said that the firm concluded—based on internal and external conversations—that the incident was a phishing attack and did not originate from OpenSea's website.
"We’re actively working with users whose items were stolen to narrow down a set of common websites that they interacted with that might have been responsible for the malicious signatures," he said on Twitter. "Huge thanks to the users that hopped on the phone with us directly."
UPDATE: (11:01 PM): OpenSea co-founder Devin Finzer tweeted that the firm was still investigating the incident, adding that they believe it stemmed from a "phishing attack."
He added: "We don’t believe it’s connected to the OpenSea website. It appears 32 users thus far have signed a malicious payload from an attacker, and some of their NFTs were stolen."
Finzer suggested impacted users reach out to the firm via Twitter support.
The nascent market for non-fungible tokens was sent into a tizzy Saturday evening after millions of dollars worth of NFTs on OpenSea were swiped by a hacker.
At the time of writing, it is not clear if the assets were stolen via a breach stemming from a deficiency in OpenSea’s platform or a phishing attack—a commonplace way for thieves to access accounts through factitious emails.
“We are actively investigating rumors of an exploit associated with OpenSea related smart contracts,” the firm said in a tweet. “This appears to be a phishing attack originating outside of OpenSea’s website.”
A spokeswoman for the firm directed The Block to this tweet when reached for further updates.
At this point The Block can confirm that the hacker has stollen more than $3 million in assets, which includes popular NFTs like Bored Apes, Azuki and CloneX.
The CEO of Nansen, Alex Svanevik, estimates that about 19 OpenSea users have been impacted.
OpenSea—which recently raised at a valuation topping $13 billion—is one of the largest platforms for NFT trading. It counts Andreessen Horowitz and actor Ashton Kutcher as backers.
This post was updated from its original form to include new information.