Just yesterday, OpenSea announced a smart contract upgrade, which requires users to migrate their listed NFTs from Ethereum (ETHThe blockchain for a new smart contract. As a direct result of the upgrade, users who do not migrate from Ethereum risk losing their old, inactive listings – which currently do not require a gas fee for migration.
The Non-Fungible Cryptocurrency (NFT) marketplace OpenSea was reported to have fallen victim to an ongoing phishing attack within hours after announcing a planned week-long upgrade to remove inactive NFTs on the platform.
However, the urgency and the short deadline opened a small window of opportunity for hackers. Within hours after OpenSea upgrade announcementHowever, reports have surfaced across multiple sources about an ongoing attack targeting NFT teams that will soon be taken down.
OPENSEA EXPLOITED FOR EVERYONE Tag Tweet embed To get them to pause their new contract while everyone finds out what’s going on with the exploit! #NFT # denied #NFTTheft #NFTScam #NFTSecurity #NFTalert
– gt_dog (@gt_dog84) February 20 2022
Further investigation revealed that the attackers used phishing emails to steal NFTs before migrating them through the new OpenSea smart contract. Once the user authorizes the NFT relay from the fraudulent email, the attackers gain access to the NFTs.
Although not confirmed, the file Tweet embed The hack is most likely a phishing scam. Users authorize “relay” as described in the phishing email and the authorization unfortunately allows the hacker to steal valuable NFTs… pic.twitter.com/Fj5d9ImC2r
– PeckShield Inc. (pickshield) February 20 2022
Users are now advised to beware of all connections from OpenSea as well as revoke all permissions related to the transition to the new smart contract.
We are actively investigating smart contract exploit rumors related to OpenSea. This appears to be a phishing attack that originated outside the OpenSea website. Do not click links outside https://t.co/3qvMZjxmDB.
– OpenSea (opensea) February 20 2022
OpenSea co-founder and CEO Devin Finzer acknowledged the phishing attack while confirming that 32 users have lost NFTs so far. While the NFT market has yet to decipher the ongoing attack, blockchain investigator Peckshield suspects that user information (including email identifiers) may have been leaked that fuels the ongoing phishing attack.
However, Finzer has asked affected users to reach out to the company, concluding:
“If you are concerned and want to protect yourself, you can opt-out of access to your NFT collection.”
Her Majesty’s Revenue and Customs (HMRC), the UK’s main tax authority, has seized three NFTs linked to suspected tax evasion fraud.
As Cointelegraph reported, the suspects used false identities and set up 250 fictitious companies to evade value-added taxes of £1.4 million (about $1.8 million).
“Typical beer advocate. Future teen idol. Unapologetic tv practitioner. Music trailblazer.”