OpenSea 'Phishing Attack' Sparks Confusion and Chaos
Crypto News

OpenSea 'Phishing Attack' Sparks Confusion and Chaos

7 months ago

NFTs have been stolen from dozens of users so far, with the world's biggest marketplace launching an "all hands on deck" investigation.

OpenSea 'Phishing Attack' Sparks Confusion and Chaos


There's confusion and chaos after OpenSea was hit by a suspected phishing attack — with non-fungible tokens stolen from dozens of users.

The world's biggest NFT marketplace has been in the process of upgrading its smart contract — a move that was designed to ensure that old, inactive listings expire, and prevent collectibles from inadvertently being sold at prices below the market rate.

OpenSea had clearly signposted the contract upgrade in a blog post at the start of the month, but this may have prompted opportunistic fraudsters to deceive victims by sending out bogus emails that pretend to be from the platform.

The blockchain intelligence firm Peckshield shared a screenshot of a suspect email that accurately explains the change that's being made — accompanied by a "Get Started" button.

But clicking this link and authorizing the migration ultimately gives hackers the ability to steal valuable NFTs.

Late on Saturday night, the marketplace tweeted:

"We are actively investigating rumors of an exploit associated with OpenSea related smart contracts. This appears to be a phishing attack originating outside of OpenSea's website. Do not click links outside of"

Listen to the CoinMarketRecap podcast on Apple Podcasts, Spotify and Google Podcasts

'I Know You're All Worried'

OpenSea's CEO Devin Finzer also stressed that this appears to be a phishing attack, rather than a vulnerability linked to the company's website. He added that 32 victims have been identified so far, and it appears the attacker has returned some of the NFTs. His Twitter thread added:

"I know you’re all worried. We're running an all hands on deck investigation … We are not aware of any recent phishing emails that have been sent to users, but at this time we do not know which website was tricking users into maliciously signing messages."

At the time of writing on Sunday morning, the address that has been linked to the phishing scam held 641 ETH — worth about $1.7 million at the current market rate. The wallet was also storing three Bored Ape Yacht Club tokens.

Crypto Twitter was rife with criticism for OpenSea, not least because these phishing attempts appeared to be a carbon copy of a genuine email that had been sent a few days ago. Others showed that the incident impressed how important it is to always check what you are signing.

Earlier, there had been conflicting reports that an exploit had been found in the new OpenSea contract — allowing attackers to drain wallets. The latest statement from the platform suggests otherwise.

Amid the panic and confusion, some Twitter users — such as @AltcoinPsycho — attempted to lighten the mood with a joke:

I'd panic about the whole OpenSea situation but all my NFTs are basically worthless.

27 people liked this article