OpenSea, a major non-fungible marketplace (NFT), is said to have been the victim of an ongoing phishing attack in the hours after announcing a week-long scheduled update to remove dormant NFTs on the platform.
Just yesterday, OpenSea announced a smart contract update that requires users to migrate NFTs listed from the Ethereum (ETH) blockchain to a new smart contract. As a result of the upgrade, users who do not migrate from Ethereum risk losing their old, dormant records, which currently do not require gas fees to migrate.
However, the urgency and tight deadlines opened up a small opportunity for hackers. Within hours of announcing the OpenSea update, multiple sources reported an ongoing attack targeting NFTs, which will soon be removed.
Further investigation revealed that the attackers used phishing emails to steal NFTs before transferring them to the new OpenSea smart contract. When a user allows an NFT relay from a fake email, attackers gain access to the NFT.
Users are now advised to beware of all connections from OpenSea, as well as revoke all migration permissions to the new smart contract.
OpenSea co-founder and CEO Devin Finzer has acknowledged the phishing attack, confirming that 32 users have lost NFTs so far. While the NFT market has yet to decipher the ongoing attack, blockchain researcher Buckshield suspects a possible leak of user information (including email identifiers) leading to an ongoing phishing attack.
However, Finzer asked affected users to contact the company upon conclusion:
“If you are concerned and want to protect yourself, you can deny access to your NFT pool.”
About it: UK Revenue Service makes first NFT seizure in VAT fraud case
Her Majesty’s Revenue and Customs (HMRC), the UK’s highest tax authority, has confiscated three NFTs linked to suspected tax evasion.
As Cointelegraph reported, the suspects used fake names and set up 250 fake companies to evade £1.4 million (about $1.8 million) in value-added tax.