Security alert: OpenSea users targeted in large-scale phishing scheme

Security alert: OpenSea users targeted in large-scale phishing scheme

Users of OpenSea, the leading nonfungible token (NFT) marketplace, are reporting an extensive email phishing campaign. The attack includes a fake developer API risk alert and a fraudulent NFT offer.

Phishing campaign

Multiple OpenSea users and developers have encountered phishing attempts through emails, as per social media reports.

These emails contain malicious links from individuals posing as OpenSea representatives. A significant aspect of the campaign is the targeting of OpenSea’s developer contacts, indicating a possible data breach from the platform.

An OpenSea developer disclosed on Twitter (X) about receiving a phishing attempt on an email exclusively used for their OpenSea API key. This event, reported on November 13, suggests that developer contacts have been compromised. The developer’s post highlighted the specific targeting of these contacts in the phishing campaign.

OpenSea issues alert

OpenSea has maintained that its platform has not been hacked. However, they advise users to be wary of untrusted links. Despite this assurance, confusion among users persists.

A Reddit user, inactive on OpenSea for years, reported receiving multiple phishing emails about NFT listings and offers. These emails attempted to direct the user to install a malicious app. The Reddit user expressed concern, questioning whether these attacks were a continuation of previous hacks on the platform:

“I’m getting 3-4 scam/phishing emails a day… The email address they are hitting is one I created specifically for OpenSea.”

API breach

This phishing campaign follows a recent security incident involving one of OpenSea’s third-party vendors. This breach, reported in late September 2023, potentially exposed user emails and developer API keys.

In light of these phishing attacks, the cryptocurrency community is reminded to remain vigilant. Users should verify the authenticity of email senders and avoid clicking on suspicious links. It’s also important to remember that legitimate crypto firms never request personal data like wallet addresses or private keys.

Follow Us on Google News