Cointelegraph
DOGE$0.07316 2.84%
TRX$0.3316 0.25%
LINK$8.05 0.00%
ZEC$537.53 2.11%
ADA$0.1634 3.97%
XRP$1.09 1.88%
ETH$1,813.48 0.58%
BTC$63,941.05 0.65%
XMR$329.38 2.33%
BNB$577.07 0.72%
XLM$0.1874 2.31%
SOL$77.16 1.40%
HYPE$67.72 0.58%
Written by Arijit Sarkarformer writerReviewed by Ana Paula Pereirastaff editor

OpenSea planned upgrade stalls as phishing attack targets NFT migration

Latest NewsPublishedFeb 20, 2022

OpenSea announced a new smart contract upgrade with a one-week deadline Friday. However, the urgency and short deadline opened up a small window of opportunity for hackers.

opensea-planned-upgrade-stalls-as-phishing-attack-targets-nft-migration

Major nonfungible token (NFT) marketplace OpenSea has reportedly fallen victim to an ongoing phishing attack within hours after announcing a week-long planned upgrade to delist inactive NFTs on the platform.

Just Friday, OpenSea announced a smart contract upgrade, which requires users to migrate their listed NFTs from the Ethereum (ETH) blockchain to a new smart contract. As a direct result of the upgrade, users who don't migrate over from Ethereum risk losing their old, inactive listings — which currently require no gas fees for migration.

However, the urgency and short deadline opened up a small window of opportunity for hackers. Within hours after OpenSea’s upgrade announcement, reports across multiple sources emerged about an ongoing attack that targeted the soon-to-be-delisted NFTs.

OPENSEA EXPLOITED Everyone tag @opensea to get them to pause their new contract while everyone figures out whats going on with the exploit! #NFT #NFTs #NFTTheft #NFTScam #NFTSecurity #NFTAlert— gt_dog (@gt_dog84) February 20, 2022

Further investigations revealed that the attackers were using phishing emails to steal the NFTs before they were migrated over OpenSea’s new smart contract. Once a user authorized the NFT migration from the fraudulent email, the attackers gained access to the NFTs.

Though unconfirmed, the @opensea hack is most likely phishing. Users authorize the "migration" as instructed in the phishing email and the authorization unfortunately allows the hacker to steal the valuable NFTs... pic.twitter.com/Fj5d9ImC2r— PeckShield Inc. (@peckshield) February 20, 2022

Users were then advised to be wary of all communications from OpenSea in addition to revoking all permissions for migrating to the new smart contract.

We are actively investigating rumors of an exploit associated with OpenSea related smart contracts. This appears to be a phishing attack originating outside of OpenSea's website. Do not click links outside of https://t.co/3qvMZjxmDB.— OpenSea (@opensea) February 20, 2022

OpenSea co-founder and CEO Devin Finzer acknowledged the phishing attack while confirming that 32 users had lost NFTs. While the NFT marketplace had yet to decipher the ongoing attack, blockchain investigator Peckshield suspected a possible leak of user information (including email ids) that could be fueling the ongoing phishing attack.

However, Finzer asked affected users to reach out to the company as he concluded:

“If you are concerned and want to protect yourself, you can un-approve access to your NFT collection.”

Related: UK tax authority makes first NFT seizure in VAT fraud case

Her Majesty’s Revenue and Customs (HMRC), the chief tax authority in the United Kingdom, seized three NFTs associated with a suspected tax evasion fraud.

As Cointelegraph reported, the suspects used fake identities and created 250 fake “shell” companies to evade 1.4 million British pounds (roughly $1.8 million) in value-added taxes.

1 minute letter

Subscribe to daily byte-sized crypto news from Cointelegraph

Subscribe
Cointelegraph is committed to independent, transparent journalism. This news article is produced in accordance with Cointelegraph’s Editorial Policy and aims to provide accurate and timely information. Readers are encouraged to verify information independently.

More on the subject