Reports have surfaced indicating that users of OpenSea, a prominent non-fungible token (NFT) marketplace, have become targets of a recent email phishing campaign. Individuals involved with OpenSea, including both users and developers, have been subjected to various phishing schemes through fake NFT offers and counterfeit developer account risk alerts.
On November 13, an OpenSea developer revealed on social media (formerly known as Twitter) that they had received a phishing attempt via email, specifically aimed at their OpenSea application programming interface (API) key. This revelation suggested that developers' contact information might have been leaked from OpenSea and utilized as targets for this fraudulent campaign.
Despite OpenSea's assertions that their platform hasn't been compromised, social media reports continue to surface regarding the phishing attempts. A Reddit user on November 14 expressed bewilderment over the sudden influx of emails related to offers for their NFT listings, despite not actively using OpenSea for years. These emails contained suspect links prompting the installation of potentially malicious applications, leading the user to receive multiple scam/phishing emails daily.
The recent phishing incident follows a security breach a few weeks prior, wherein one of OpenSea's third-party vendors suffered a security incident exposing user API key information. This breach prompted OpenSea to notify affected users, reporting potential compromises involving user emails and developer API keys. This isn't the first time OpenSea users have encountered phishing emails, as the platform confirmed a similar issue in February 2022 and cautioned against clicking any email links.
In light of these developments, the incident serves as a reminder to the cryptocurrency community to remain vigilant regarding emails from service providers. Users should exercise caution in verifying email senders' authenticity and links' relevance to avoid falling victim to phishing attacks. It's essential to bear in mind that reputable cryptocurrency companies won't solicit personal data, such as wallet addresses or private keys, via email.
