Scammers took the advantage of recent OpenSea Contract migration notification to swindle the NFTs worth millions from different owners using phishing emails – apparently. OpenSea administration is working round the clock to investigate what actually happened.
Opensea is one of the largest NFT marketplaces with millions of NFTs on it. Opensea started back in 2017 and became one of the leading platforms to host a vast variety of NFTs. Such platforms work on blockchain-based smart contracts. The story starts last Friday when Opensea announced a smart contract upgrade. The upgrade was supposed to provide an additional safety feature. The announcement also included that:
- Users will have control over their funds.
- The upgrade will last a week till February 27, 2022.
- No user is required to initialize the wallet again.
- Users only need to sign the contract for zero gas fees.
The tweet also included the link to the official website for the contract upgrade along with a tutorial video to guide the users through the process.
The attackers took this tweet as an announcement and started sending emails to the NFT holders to upgrade their smart contracts. The link was masked and the email was a phishing attempt. The email included the same message of contract up-gradation and targeted people who held expensive NFTs. The email included the following content with a “Get Started” button. The email source is yet to be verified.
Co-Founder and CEO Davin Finzer took Twitter to explain the event as,
“As far as we can tell, this is a phishing attack. We don’t believe it’s connected to the OpenSea website. It appears 32 users thus far have signed a malicious payload from an attacker, and some of their NFTs were stolen.”
CEO Opensea asked people to DM if they have the necessary information that could be useful. The investigation that started with 32 people was then narrowed down to 17 excluding the victims only and focusing on those who interacted with the attackers. It is in rumors that the funds worth more than $200 million were stolen. The actual number is yet to be confirmed as the official source however the wallet that was used to implement such large-scale phishing only holds 3 Ethereum at the moment.
Here is the contract address of the hacker. You can use Etherescane to check the details.
0x3E0DeFb880cd8e163baD68ABe66437f99A7A8A74
The address was created more than 31 days ago and the wallet still contains many NFTs. It seems, as quoted by Opensea, that the scammers are inactive for now as there has been no activity in the last 20 hours.
Unexplained Questions behind the OpenSea recent Scam:
- The philanthropy of Scammers:
While I was looking at the blockchain transactions in Ethsacane I found out that the transaction under hash shows that the scammers first swindled this address from NFTs and then for unknown reasons not only did they return NFT but also funded the user with 50 Ethereum. The question still remains unanswered yet relief at least one was refunded.
https://etherscan.io/tx/0xaefdad36aae9da83a8b0bbebb02b7c8cd00adfc6176bb96dc8711883cb82bfe1
- Phishing, not Phishing?
When I dived deeper into the address and tried to find the victim who was refunded, it opened me to a new question that stands in contradiction to what Opensea claims. Username @Nate_Rivers on Twitter posted a video showing his email inbox. He claims to have not received any phishing emails nor has he clicked a spammy link yet he was scammed. He explains,
“Just opened my email for the first time in weeks. Not only did I not receive a phishing email I haven’t even verified my Opensea account or received a migration email at all. I also had 8 baby kongz, a genesis kong and 100 vx kongz (250e+) why not take those?”
Nate sounded offended as should be for losing so much. But the question remains if he did not receive any phishing email, how did he fell a victim to the scam? If it was not email-phishing nor the contract up-gradation, what could have gone wrong? There is definitely something fishy here.
How to Spot and Avoid such scams:
We have recently covered a comprehensive article on how to spot a Rug Pull for cryptocurrency projects however the case of NFTs is entirely different thus requires a different approach.
The first and most prominent red flag is when you’re contacted out of the blue. Someday you open up your email and find out you have received an email from a prominent figure inviting you to click a link or anything intriguing. This is the signal where you should ask yourself why me? This can happen through emails, personal messages, or even through the social media platform. Usually, such messages include an emotional trigger to make you either frightened or greedy and it works both ways pretty well. almost the same happened in the case of Opensea the scammers themselves approached the victims through email. Not only that, they incited greed and fear to upgrade the contracts before the due date approached.
Such emails and a message would basically want two things from you: send some funds so they double it for you, and the second and worse: ask you to send them your private keys or seed phrase. Remember, no legitimate service provider will ask you to send them your funds, passwords, seed phrase, or private key. NEVER ever share any of the above with ANYONE else you’ll lose everything you own.
Concluding thoughts:
Opensea is running an investigation as their reputation is at stake. Though there are many conspiracies and contradicting theories this all counts as speculations until anything comes from the Opensea official platform. Always bookmark the official website of these websites and make it a habit to only visit from that link. Try not to click any link from any source no matter what they claim. Always follow the official platforms on social media to stay up to date.
If you have your NFTs on the platform and still on the previous smart contract, you can find the necessary instructions here to upgrade:
Trade SAFU!