Reports indicate that OpenSea users have been targeted with fake developer API alerts and NFT offers in a widespread phishing campaign
Some OpenSea users have reportedly complained about receiving phishing emails containing malicious links. The emails are allegedly from attackers posing as the NFT marketplace.
According to reports from a Web3 Anti-Scam platform on X(formerly Twitter), users were warned about the recent email phishing campaign. The campaign includes fake developer account alerts and fake NFT offers.
beware there are a few email phishing campaigns targeting OpenSea's users and developers recently, including:
– fake developer account risk alert
– fake offer pic.twitter.com/cLpoZijFLO
— Scam Sniffer | Web3 Anti-Scam (@realScamSniffer) November 13, 2023
Opensea tweeted on their official page on X (formerly Twitter) stating that their platform is fine and there’s currently no hack. They also warned users to avoid clicking on links they don’t trust.
There's no hack. DO NOT click links you don't trust.
— OpenSea (@opensea) November 13, 2023
An OpenSea developer took to X (formerly Twitter) on Nov. 13 in response to OpenSea statement about the platform not being hacked, the developer reported receiving a phishing email that targeted their API key.
“Correct- there is no smart contract vuln. But unfortunately for @opensea I just received a phishing attempt, to an email that was strictly dedicated to my OpenSea API key. In other words, dev contacts have been exfiltrated from OpenSea and are the real target in this campaign.”
Correct- there is no smart contract vuln. But unfortunately for @opensea I just received a phishing attempt, to an email that was strictly dedicated to my OpenSea API key. In other words, dev contacts have been exfiltrated from OpenSea and are the real target in this campaign https://t.co/GD4UgwWIrx pic.twitter.com/rtyUJBMlwl
— Quantity (@quantity) November 13, 2023
On Nov. 14, another OpenSea user expressed concerns on Reddit over the ongoing phishing campaign. The user said: “Haven’t used OpenSea for years and all of a sudden, I keep getting emails talking about my NFT listings getting offers,” the user also added that the links he received are all fake and they were trying to direct the reader to install a malicious app.
This news comes a few weeks after one of OpenSea’s third-party vendors was involved in a data breach that exposed user API keys. OpenSea notified users of the breach in a September email.
Choose your third party well…
Opensea posted that a vendor was attacked, resulting in the leak of developers' API keys!
Get advice from a professional security consultant about the safety of the third party before choosing. E.g. @SlowMist_Team 😎 pic.twitter.com/jcBJ9IaAEN
— 23pds (@IM_23pds) September 23, 2023
This isn’t the first time OpenSea users have received phishing emails. In February 2022, OpenSea confirmed that it was facing a phishing attack and urged users not to click on any links in the emails. The company also investigated reports of an exploit associated with OpenSea-related smart contracts.
OpenSea did not immediately respond to a request for comment. This incident follows OpenSea’s recent announcement that it would lay off 50% of its staff, citing a renewed focus on the launch of OpenSea 2.0 with a smaller team.
This phishing attack serves as a reminder to the crypto community to be cautious of emails from service providers. Users should always verify the sender’s identity and avoid clicking on links in emails.