Activity on OpenSea, the world’s largest marketplace for digital collectibles, likely dropped precipitously after a phishing attack that saw traders lose as much as an estimated US$3 million.

Trading in nonfungible tokens plummeted in recent days, according to data provider DappRadar. OpenSea’s seven-day trading volume was down 37 per cent as of Tuesday, DappRadar found. 

An unidentified hacker stole 254 tokens from OpenSea users by sending a malicious email asking to transfer their assets to a new contract. Around 17 traders signed the contract, which effectively acted as a blank check, giving the hacker access to all of the NFTs stored on their wallet. 

Some of those assets have since been sold, netting the perpetrator a hefty gain. Devin Finzer, OpenSea’s chief executive officer, valued the total amount stolen at US$1.7 million on Sunday, but researchers since have valued the pile at anywhere between US$2 million and US$3 million. Among the stolen NFTs included four Bored Apes, three of which were later sold on rival platform LooksRare for a combined US$667,000, according to data from blockchain security service PeckShield.

The number of traders using OpenSea dropped by 19 per cent, to about 227,272 over the seven days ended Tuesday, per DappRadar. Over that period, trading volume on LooksRare plunged nearly 65 per cent, while volume on BloctoBay rose by more than 215 per cent, according to DappRadar.

OpenSea disputed the data provided by DappRadar, adding in a statement: “For more accurate and complete data, please refer to Dune Analytics.”

OpenSea said on Monday that the attacker’s crypto wallet has gone quiet since the theft, with no transaction activity spotted in the last 24 hours. 

The marketplace’s Chief Technology Officer Nadav Hollander said the incident demonstrated a need for more awareness about the security issues surrounding off-chain signatures among NFT traders. There were no flaws found in ongoing contract migration by OpenSea that could have caused the attack, but the process opened a window of opportunity for the perpetrator to fool their victims by closely mimicking OpenSea’s communications on the matter.

 “Education on not sharing seed phrases or submitting unknown transactions has become more widespread in our space. However, signing off-chain messages requires equal consideration,” said Hollander.