NFT marketplace OpenSea suffered a phishing attack targetting 17 users who lost approximately 250 NFTs worth $1.7 million. The phishing scam happened amid an update that required people to migrate their listings. Allegedly the attackers knew about the update and used the opportunity to scam users.
OpenSea had informed its users that they will have to update any existing listings between February 18 to 25 if they wanted to keep them active on the platform. According to researchers at Check Point, the phishers used this opportunity to send their own emails, tricking users into believing that the emails originated from OpenSea.
The cybercriminals ran a dry run of the hack on January 21 to check if the attack would work as intended. While earlier there were reports that a bug in the migration tool was the attack vector, that has been ruled out and OpenSea added that the attack doesn’t compromise any of their systems. They also cleared out that the Wyvern Protocol logo on the new OpenSea signature information is credible and as long as people are signing on opensea.io, it’s all safe.
In the News: AI can’t copyright art: US Copyright Office
How the scam worked
OpenSea was upgrading its smart contract system to get rid of all old and inactive listings on the platform and had prepared for the process by sending out instructions to their users and setting up websites of their own.
The phishing emails had a link to a page where users were supposed to sign a transaction concerning the migration process. However, instead of completing the migration process, the transaction allowed the attacker to perform a number of forwarding requests with verified parameters that transferred the NFT’s ownership to the attackers.
The attack seems to have stopped at the moment as there has been no loss of NFTs or transactions on the attacker’s wallet in the past 36 hours.