OpenSea is investigating a phishing attack in which 17 of its users lost more than 250 NFTs worth around $2 million.

Clarifying issues related to the attack, OpenSea stated that the attack did not exploit any vulnerabilities on its platform or trading systems. The attack relied mainly on deceiving users via phishing.

The NFT platform warned users to remain vigilant and not to click on any link that does not belong to the opensea.io domain.

Researchers at CheckPoint said the attackers were aware of OpenSea’s decision to upgrade its smart contract system, which will purge old and inactive listings on the platform.

While OpenSea has scheduled February 18 to 25 for the update, the company also sent out emails with instructions on how to handle the process.

The attackers prepared for the migration with emails and websites of their own. The emails were then sent to OpenSea customers who unknowingly fell for the trick and click on the malicious link.

Clicking on the link gave attackers access to a number of forwarding requests with verified parameters. As a result, the NFT property was passed on to the attackers.