OpenSea Fake Verification Phishing Emails

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

OpenSea

Many users of OpenSea, one of the largest NFT marketplaces in the world, received phishing emails requesting them to click a link and complete a verification within the next couple of days, threatening an account suspension. The email was not from OpenSea, and likely attempted to steal assets or the private keys of users who complied. It is not know how many users were affected.

This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9][10][11][12]

About OpenSea

"The world’s first and largest digital marketplace for crypto collectibles and non-fungible tokens (NFTs). Buy, sell, and discover exclusive digital items." "Discover, collect, and sell extraordinary NFTs. OpenSea is the world's first and largest NFT marketplace."

"As the first and largest marketplace for Non-Fungible Tokens and Semi-Fungible Tokens, OpenSea provides a first-in-class developer platform consisting of an API, SDK, and developer tutorials. Feel free to browse around and get acclimated with developing smart contracts and interacting with NFT data."

"Fascinated by the [CryptoKitties] movement that was forming, Devin Finzer and Alex Atallah joined early adopter communities in Discord and started talking to users. With the OpenSea beta launch in December 2017, the first open marketplace for any non-fungible token on the Ethereum blockchain was born."

"Valued at $13 billion in a recent funding round, OpenSea has become one of the most valuable companies of the NFT boom, providing a simple interface for users to list, browse, and bid on tokens without interacting directly with the blockchain."

OpenSea Trading Platform Migration

On February 27th, 2022, many OpenSea users started to receive an email instructing them that their account required verification for the new platform, and unverified accounts would be suspended.

Dear customer,

Due to OpenSea's migration to the new trading platform, we require all of our users to verify their accounts. All unverified accounts will be suspended on Monday, February 28th, 2022.

We apologize for any inconvenience this might cause, but please keep in mind that our goal is to provide our customers with the safest and most reliable trading platform. To prevent your OpenSea account from getting suspended please verify it using the link below prior to Monday, February 28th, 2022.

Best regards, OpenSea.

The Reality

The received emails did not originate from OpenSea. Users who would complete the verification process would have the provided information used against them.

TBD - What information was requested by the phishing attack?


Over the weekend, at least 32 users of the popular NFT trading site OpenSea fell victim to a phishing attack, resulting in the loss of approximately 254 tokens worth over $1.7 million. The attacks took place between 5PM and 8PM ET on Saturday. OpenSea CEO Devin Finzer confirmed that the attack was likely separate from the platform and resembled a traditional email phishing scheme targeted at the NFT space. The NFT transfers were technically signed off using the sellers' unique signatures, but they were tricked into filling out the information on an inconspicuous platform, similar to fake links in email phishing scams. The NFT market has faced other issues such as counterfeit digital assets and stolen art, with many artists having their works uploaded without permission. The nature of NFTs and their ownership raises questions about what should be considered a crime in this space[13].


"We've seen some reports of users getting emails from http://openseateam.io."

"This is not an official Opensea email address.

What Happened

On February 27th, 2022, many users of the OpenSea platform reported that they had been subject to a phishing attack.

Key Event Timeline - OpenSea Fake Verification Phishing Emails
Date Event Description
October 4th, 2021 2:19:00 PM MDT OpenSea Publishes Tips OpenSea publishes a series of tips for protecting yourself from scams online[14].
February 20th, 2022 10:57:07 PM MST PCGamer Article Report PCGamer reports that Over the weekend, at least 32 users of the popular NFT trading site OpenSea fell victim to a phishing attack, resulting in the loss of approximately 254 tokens worth over $1.7 million. The attacks took place between 5PM and 8PM ET on Saturday. OpenSea CEO Devin Finzer confirmed that the attack was likely separate from the platform and resembled a traditional email phishing scheme targeted at the NFT space. The NFT transfers were technically signed off using the sellers' unique signatures, but they were tricked into filling out the information on an inconspicuous platform, similar to fake links in email phishing scams. The NFT market has faced other issues such as counterfeit digital assets and stolen art, with many artists having their works uploaded without permission. The nature of NFTs and their ownership raises questions about what should be considered a crime in this space[13].
February 26th, 2022 9:16:00 PM MST Main Event Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.
March 3rd, 2022 7:18:05 AM MST CoinYuppie Article Mentions Phishing The phishing attack is mentioned in a CoinYuppie article[15].

Technical Analysis

TBD - Need more details on the actual phishing attack and what was shown on the phishing website.

Total Amount Lost

The total amount lost is unknown.

Immediate Reactions

"On February 27, OpenSea appeared again with a phishing email attack. According to OpenSea’s official social media account, it was recently discovered that some users had received emails from openseateam.io (phishing links), the platform reminding users not to click on such phishing emails."[15]

"We've seen some reports of users getting emails from http://openseateam.io."

"This is not an official Opensea email address. Please do not click on this email."

Ultimate Outcome

TBD

"Relevant data shows that after the phishing attack, the user activity on OpenSea also dropped rapidly. Within three days of the incident, the user activity on the platform dropped by at least 20% , the transaction volume dropped by 37% within seven days , and nearly 230,000 Users left OpenSea this week."[15]

Total Amount Recovered

It is unclear if any funds were lost in this case.

Ongoing Developments

TBD

Individual Prevention Policies

Generally, such attacks depend on users either providing their seed phrase, installing malicious software, or approving the attackers to have access to their wallet.

Private keys can be obtained through seed phrases, mnemonics, private key files, mobile synchronization screens, wallet export features, wallet backups, etc... Never ever send these to anyone else who you do not intend to allow to take all of your money. Attackers will use a wide variety of tactics to convince you like pretending to be your wallet software, pretending they work for the wallet software, or asking you to screen share. Don't fall for them.

Any time untrusted software is being run is an opportunity for abuse. It is recommended to always interact with cryptocurrency in a fully controlled environment, which is an environment where you have understanding of every piece of software running there. Using a hardware wallet, spare computer with all software wiped, and/or virtual machine with only the needed software greatly reduces your attack surface. Take the time to verify downloaded files come from the correct and expected source and match available hashes if provided. Any time you encounter a new file, always check if it can contain executable code prior to using it.

Every approval on Web3 is an opportunity to lose all of the funds present in your wallet. Take the time to review the transaction in full. Fully check over the balance, permissions, and entire address which you are interacting with. Do not trust that your clipboard or any website front-end is guaranteed to provide an accurate address or transaction status. Always perform a test transaction prior to the first high-value transaction in any session.

The likelihood to receive such an email can be affected by how much personal information is available online.

Set up separate email addresses for each service, and avoid providing your phone number whenever possible. Any received emails or phone calls must be viewed with scrutiny, especially if unsolicited. Interact with companies only through their official websites and confirm anything with the company directly via multiple official sources, especially if it promises a significant incentive to take an action or threatens access to your funds if an action is not taken. It would be recommended to also establish a network of multiple trusted individuals who use the same services and have a strong level of security knowledge.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

This issue can be prevented through better education for users. An insurance fund could be available to assist any remaining cases.

Never take for granted the limited knowledge of users of your service and their tendency to skip past provided information. It is recommended to design a simple tutorial and quiz for new users which explains the basics of seed phrases, strong password generation, secure two-factor authentication, common fraud schemes, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space. This tutorial and quiz should ensure their understanding and be a standard part of the sign-up or download process which is difficult or impossible to skip.

Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

This issue can be prevented through better education for users. An insurance fund could be available to assist any remaining cases.

Create a standard tutorial and quiz for all new cryptocurrency participants, which is required to be completed once per participant. This tutorial and quiz should cover the basics of proper seed phrase protection, strong password generation, secure two-factor authentication, common fraud schemes, how to detect and guard against phishing attacks, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space.

Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. @opensea Twitter (Mar 10, 2022)
  2. How OpenSea took over the NFT trade - The Verge (Mar 10, 2022)
  3. Dune Analytics (Mar 10, 2022)
  4. https://opensea.io/ (Mar 9, 2022)
  5. Meet OpenSea | The NFT marketplace with everything for everyone - YouTube (Mar 9, 2022)
  6. https://docs.opensea.io/docs (Mar 9, 2022)
  7. https://docs.opensea.io/docs/frequently-asked-questions (Mar 9, 2022)
  8. https://opensea.io/about (Mar 9, 2022)
  9. @Albinjawi89 Twitter (Mar 16, 2022)
  10. Wayback Machine (Mar 16, 2022)
  11. openseateam.io - contact with domain owner | Epik.com (Mar 16, 2022)
  12. openseateam.io - contact with domain owner | Epik.com (Mar 16, 2022)
  13. 13.0 13.1 OpenSea phishing scam swindled millions in NFTs - PC Gamer (May 15, 2022)
  14. OpenSea - "10 tips for avoiding scams and staying safe on the decentralized web" - Twitter (May 15, 2022)
  15. 15.0 15.1 15.2 Phishing attack from OpenSea to analyze blockchain hacking methods - CoinYuppie (Mar 16, 2022)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=OpenSea_Fake_Verification_Phishing_Emails&oldid=4770"