OpenSea Hack/Phishing Feb 2022
In February, 2022 a number of OpenSea users received phishing emails that, if followed, prompted the user to sign a malicious order. Approximately 3 weeks after the malicious order was signed the attacker used the order to drain high value NFTs from at least 32 users. The value of those NFTs can be scrutinized, but the attacker has at least 1.7M with our ETH in their wallet from selling the stolen NFTs.
What Happened?
It started with a phishing email to some OpenSea users
Clicking on the link prompted a signature to approve an order
Seen confusion about the OS thing so.
— Neso (@Nesotual) February 20, 2022
Attacker had people sign half of a valid wyvern order, the order was basically empty except the target (attacker contract) and calldata, attacker signs other half of order.
Attackers waited 3 weeks, then used the order to steal numerous valuable NFTs from 32 users in a matter of moments.
How to Protect Yourself?
- You can review and revoke token approvals here. https://etherscan.io/tokenapprovalchecker
- Be wary of off-chain signature requests. You need to pay attention to any unusual signature requests and diligently review the details in what is being signed.
- Transfer ownership to cold wallets and use a hot wallet with limited funds for regular transactions. In the event you do fall victim to an attack this limits the impact to the contents of the hot wallet.
- Standard phishing advice. Be cautious of any emails requesting action. You should go to the official website via your browser to confirm. It's far too easy for phishing emails to have look-a-like domains or other tricks to fool even the most careful users