Within hours of announcing a week-long scheduled upgrade to permanently remove inactive NFTs on the platform, major non fungible token (NFT) marketplace OpenSea has apparently fallen victim to a continuing phishing attack.
OpenSea released a smart contract upgrade only yesterday, requiring users to convert their posted NFTs from the Ethereum (ETH) blockchain to a new smart contract. Users that do not migrate from Ethereum risk losing their old, inactive listings, which presently do not require gas fees for conversion.
However, because of the urgency and short deadline, hackers had a brief moment of time. Within hours of OpenSea’s upgrade statement, various sources started reporting about an ongoing attack against the soon-to-be-delisted NFTs.
— gt_dog 😾+🧬+🐀👑💪🏼= #GangGang (@gt_dog84) February 20, 2022
Further analysis indicated that the NFTs were stolen using phishing emails before being moved to OpenSea’s new smart contract. The attackers acquire access to the NFTs after a user allows the migration via the bogus email.
Though unconfirmed, the @opensea hack is most likely phishing. Users authorize the "migration" as instructed in the phishing email and the authorization unfortunately allows the hacker to steal the valuable NFTs… pic.twitter.com/Fj5d9ImC2r
— PeckShield Inc. (@peckshield) February 20, 2022
Users should be cautious of all emails from OpenSea and revoke all permissions related to the migration to the new smart contract.
We are actively investigating rumors of an exploit associated with OpenSea related smart contracts. This appears to be a phishing attack originating outside of OpenSea's website. Do not click links outside of https://t.co/3qvMZjxmDB.
— OpenSea (@opensea) February 20, 2022
32 OpenSea users have lost their NFTs
Devin Finzer, co-founder and CEO of OpenSea, confirmed that 32 users have lost their NFTs as a result of the phishing attack. While the NFT marketplace has yet to understand the continuing phishing attack, blockchain investigator Peckshield suspects a possible loss of user data (including email addresses) that is fueling the ongoing phishing attack.
“If you are concerned and want to protect yourself, you can un-approve access to your NFT collection,” Finzer said, urging affected consumers to contact the company.
As TheCoinRise reported, the biggest NFT marketplace OpenSea raised $300 million in Series C funding led by Coatue and Paradigm. The company aimed to use the fund for improving customer experience at the time.