Major nonfungible token (NFT) marketplace OpenSea has reportedly fallen victim to an ongoing phishing attack within hours after announcing a week-long planned upgrade to delist inactive NFTs on the platform.
Just yesterday, OpenSea announced a smart contract upgrade, which requires users to migrate their listed NFTs from Ethereum (ETH) blockchain to a new smart contract. As a direct result of the upgrade, users that don’t migrate over from Ethereum risk losing their old, inactive listings — which currently require no gas fees for migration.
However, the urgency and short deadline opened up a small window of opportunity for hackers. Within hours after OpenSea’s upgrade announcement, reports across multiple sources emerged about an ongoing attack that targets the soon-to-be-delisted NFTs.
OPENSEA EXPLOITED Everyone tag @opensea to get them to pause their new contract while everyone figures out whats going on with the exploit! #NFT #NFTs #NFTTheft #NFTScam #NFTSecurity #NFTAlert
— gt_dog (@gt_dog84) February 20, 2022
Further investigations revealed that attackers used phishing emails to steal the NFTs before they get migrated over OpenSea’s new smart contract. Once a user authorizes the NFT migration from the fraudulent email, the attackers gain access to the NFTs.
Though unconfirmed, the @opensea hack is most likely phishing. Users authorize the “migration” as instructed in the phishing email and the authorization unfortunately allows the hacker to steal the valuable NFTs… pic.twitter.com/Fj5d9ImC2r
— PeckShield Inc. (@peckshield) February 20, 2022
Users are now advised to be wary of all communications from OpenSea in addition to revoking all permissions about the migration to the new smart contract.
We are actively investigating rumors of an exploit associated with OpenSea related smart contracts. This appears to be a phishing attack originating outside of OpenSea’s website. Do not click links outside of https://t.co/3qvMZjxmDB.
— OpenSea (@opensea) February 20, 2022
OpenSea co-founder and CEO Devin…