Reports have surfaced indicating that users of the prominent non-fungible token (NFT) marketplace, OpenSea, are falling victim to a new wave of email phishing attacks.
Instances of malicious emails containing deceptive links, purporting to be from the OpenSea, have been reported by users and developers.
Various phishing campaigns, including a fabricated developer account risk alert and a bogus NFT offer, have been identified.
Despite OpenSea’s assurances that its platform remains uncompromised, cautionary advice is extended to users regarding links within emails.
An OpenSea developer disclosed on X (formerly known as Twitter) receiving a phishing attempt directed specifically at their OpenSea Application Programming Interface (API) key.
The revelation suggests that developer contacts have potentially been accessed from OpenSea, serving as the primary target in this campaign.
In response to OpenSea’s denial of a hack and the caution to avoid untrusted links, social media platforms, including Reddit, have become forums for users expressing confusion and concern over the ongoing phishing incidents.
The poster wrote:
“Haven’t used OpenSea for years and all of a sudden, I keep getting emails talking about my NFT listings getting offers. Right now Im getting 3-4 scam/phishing emails a day which is crazy since I got zero just a few weeks ago. So my question is did something new happen to OpenSea. The email address of mine they are hitting is one I created specifically for OpenSea so not concerned but I know OpenSea had hacks previously. Are they just now hitting up my email or is there a new one?”
This development unfolds weeks after one of OpenSea’s third-party vendors encountered a security incident, leading to the exposure of information related to user API keys.
The breach, reported in a late September 2023 email notification to affected users, disclosed the potential leakage of user emails and developer API keys.
Notably, OpenSea had experienced a phishing attack in February 2022, prompting an official confirmation and urging users to refrain from clicking on links within such emails.
During that incident, the company was also probing rumors related to an exploit associated with OpenSea-related smart contracts.
This recent phishing episode serves as a poignant reminder for the cryptocurrency community to remain vigilant when engaging with communications from service providers.
Users are advised to exercise caution regarding email sender authenticity and associated links.
It is crucial to recognise that legitimate crypto firms never solicit personal data such as wallet addresses or private keys through email communication.