Just yesterday, the OpenSea NFT marketplace announced a smartcontract update that requires users to migrate NFT from the Ethereum blockchain (ETH) to the new smartcontract. As a result of the update, users who do not migrate from Ethereum risk losing their old inactive NFTs.
A few hours after the update was announced, there were reports from several sources of an ongoing attack targeting NFTs that would soon be delisted.
Further investigations revealed that attackers used phishing emails to steal NFTs before they were migrated to the new OpenSea smart contract. Once the user authorizes the NFT migration by following a link from the fraudulent email, the attackers gain access to the token.
Users have now been advised to be cautious about all emails from OpenSea.
OpenSea co-founder and CEO Devin Finzer acknowledged the phishing attack, confirming that NFTs have been stolen from 32 users so far.
In addition, analytics platform Peckshield discovered a possible leak of user information (including email identifiers).