Major nonfungible token (NFT) marketplace OpenSea has reportedly been compromised by an ongoing phishing attack just hours after announcing a week-long upgrade to delist inactive NFTs.
Yesterday, OpenSea announced an upgrade to its smart contracts, requiring users to migrate their listed NFTs from Ethereum (ETH) blockchain to the new smart contract. Because of the upgrade, users who don’t migrate over from Ethereum risk losing their old, inactive listings – which don’t require gas fees at the moment.
Because of the short deadline and urgency, hackers had a small window of opportunity. Several hours after OpenSea announced its upgrade, reports emerged of an ongoing attack against the soon-to-be-delisted NFTs
Further investigations revealed that attackers used phishing emails to steal the NFTs before they get migrated over OpenSea’s new smart contract. Once a user authorizes the NFT migration from the fraudulent email, the attackers gain access to the NFTs.
Though unconfirmed, the @opensea hack is most likely phishing. Users authorize the “migration” as instructed in the phishing email and the authorization unfortunately allows the hacker to steal the valuable NFTs… pic.twitter.com/Fj5d9ImC2r
— PeckShield Inc. (@peckshield) February 20, 2022
Users are now advised to be wary of all communications from OpenSea in addition to revoking all permissions about the migration to the new smart contract.
We are actively investigating rumors of an exploit associated with OpenSea related smart contracts. This appears to be a phishing attack originating outside of OpenSea’s website. Do not click links outside of https://t.co/3qvMZjxmDB.
— OpenSea (@opensea) February 20, 2022
OpenSea co-founder and CEO Devin Finzer acknowledged the phishing attack while confirming that 32 users have lost NFTs so far. While the NFT marketplace is yet to decipher the ongoing attack, blockchain investigator Peckshield suspects a possible leak of user information (including email ids) that fuels the ongoing phishing attack.
However, Finzer has asked affected users to reach out to the company as he concluded:
“If you are concerned and want to protect yourself, you can un-approve access to your NFT collection.”
Her Majesty’s Revenue and Customs (HMRC), the chief tax authority in the United Kingdom, seized three NFTs associated with a suspected tax evasion fraud.
As Cointelegraph reported, the suspects used fake identities and created 250 fake “shell” companies to evade 1.4 million British pounds (roughly $1.8 million) in value-added taxes.