Phishing in the OpenSea

Phishing in the OpenSea

OpenSea’s smart contract migration was marked by a phishing attack, still ongoing.

Phishing is one of the most popular scam types, be it a phone call by a “bank employee” precising your personal details, an email from a “payment provider” asking to reset your password, or a phony “merchant site” waiting for you to enter your credit card number. Getting victims to give access to their money voluntarily by pretending to be a legit service – easy and efficient – makes phishing so popular among fraudsters of all kinds.

Crypto space of course is no exception, and a recent phishing attack got everyone talking about OpenSea. Again.
On Friday the biggest NFT marketplace announced its smart contract upgrade intended to delist inactive NFTs. Active users have one week to migrate their listings to the new contract without paying gas fees; after February 25th old listings will expire.

The scammers jumped on the opportunity and launched a phishing attack providing users with fake links that ask their wallets to authorize a malicious contract. So far 32 users have lost their NFTs.

? It is not yet clear how exactly the scammers conducted their business. From what can be seen on-chain, the contract the attacker used to interact with OpenSea was created one month ago and became active yesterday. The attacker had people sign half of a valid contract containing the target (attacker contract), while they signed another half themselves, which, after a couple more steps, allowed them to steal the NFTs.

?️‍♂️ OpenSea’s CEO Devin Finzer said the company does not have information about phishing emails, and has not yet identified the phony websites tricking users into maliciously signing messages. The investigation continues.

⚠️ OpenSea’s phishing attack is another reminder to always check the website address in your browser when you sign messages and be cautious of what you sign. In the meantime, you can use etherscan to revoke OpenSea’s smart contract access to be on the safe side.