OpenSea Investigates Phishing Attack

Many or all of the products here are from our partners that compensate us. It’s how we make money. But our editorial integrity ensures our experts’ opinions aren’t influenced by compensation. Terms may apply to offers listed on this page.

KEY POINTS

  • Criminals spoofed emails that were part of a planned upgrade to trick users into transferring their non-fungible token (NFTs).
  • $1.7 million was stolen from around 17 users in what appears to have been a phishing attack.
  • Report shows wash trading and money laundering are also increasing in the NFT market.

Phishing attacks are increasingly sophisticated. Find out how to protect yourself.

The world's largest NFT marketplace, OpenSea, was hit by a $1.7 million phishing attack last weekend. The hackers took advantage of a planned upgrade to trick users into essentially signing a blank NFT check. OpenSea says the attack no longer appears to be active.

NFTs are essentially digital certificates of ownership for all kinds of items, such as art, sports collectibles, music, and much more. The NFT industry is booming, but unfortunately so is NFT crime.

Details of OpenSea's phishing attack

Approximately 250 tokens were stolen from 17 affected users in the attack. OpenSea originally thought 32 people had been hit, but later amended that 15 people had interacted with the phisher but not lost NFTs.

It still isn't clear exactly how the attackers were able to carry out the scam. At the time, OpenSea tweeted, "This appears to be a phishing attack originating outside of OpenSea's website."

It looks like the hacker duplicated an email sent to OpenSea users about the upgrade and directed them to a fake webpage. There, they were asked to sign what looked like a legitimate contract to migrate their NFT over to the new system. Given that users were expecting to receive an email from OpenSea about the migration, they were less likely to notice the spoof.

This is not the first time OpenSea's platform has been hit by criminals. In January, hackers exploited a flaw in the platform's code to buy NFTs for significantly less than their market value -- profiting by around $1.8 million. OpenSea reimbursed the affected users.

NFT crime is on the rise

A recent report from Chainalysis showed the NFT market was worth at least $44.2 billion in 2021 -- up from $106 million the year before. The crypto analytics company tracked NFT trading on the Ethereum (ETH) blockchain. Ethereum is the most popular network for NFTs, but other platforms such as Solana (SOL) and Tezos (XTZ) are starting to gain traction.

Chainalysis highlighted two forms of illicit activity in the NFT industry:

  • Wash trading. This is a form of market manipulation where the same person buys and sells the same NFT to push the price up.
  • Money laundering. Chainalysis points out that money laundering has long been an issue in the art world and is now a "small but visible" part of the NFT industry.

Protect yourself against phishing attacks

Phishing attacks like the recent OpenSea one above can be extremely sophisticated. Phishing is an increasingly common type of fraud in which attackers use fake emails or other forms of communication to trick people into giving away sensitive information. The attacker may direct you to a fake website, or attempt to get you to reply to the email or caller and share your information.

Read more: Thousands of Coinbase Users Hit by Phishing Attack -- Here's How to Protect Yourself

Phishers pose as a trusted source, such as your bank or cryptocurrency exchange, and use the data they steal to access your accounts. In some cases, phishers have managed to hijack company computer networks.

Here are some ways to guard against phishing attacks:

  • Be alert. Legitimate companies won't ask you to share your password or other sensitive data by email or over the phone.
  • Look at the details. Phishing emails often come from an email address that is similar, but not the same as the real source. The details are usually slightly off: A url might be slightly misspelled or the email might be addressed to something generic like "Hi dear" instead of your name. These are all tell-tale signs of a phisher.
  • Be wary of clicking on links or attachments. Attachments can contain viruses and malware and the link may not take you to the real site. Bookmark important websites and use your saved links.
  • Keep your malware and antivirus software up to date. Antivirus software can't stop phishing attacks, but it will protect you against known viruses and malware.
  • Set up multi-factor authentication. Enabling two-factor or multi-factor authentication on your accounts means you'll have to provide extra information each time you log on. For example, you might install Google Authenticator on your phone and enter the code in addition to your username and password. This makes it harder for hackers to gain access.

Unfortunately, new technologies like NFTs and cryptocurrency attract criminals who seek to exploit any loopholes in these fast-moving industries.

Alert: our top-rated cash back card now has 0% intro APR until 2025

This credit card is not just good – it’s so exceptional that our experts use it personally. It features a lengthy 0% intro APR period, a cash back rate of up to 5%, and all somehow for no annual fee! Click here to read our full review for free and apply in just 2 minutes.

Our Research Expert

Related Articles

View All Articles Learn More Link Arrow