On February 20, Devin Finzer, co-founder and CEO of OpenSea, responded to the “OpenSea vulnerability incident” by saying that it was a phishing attack and that it had nothing to do with the OpenSea website. So far, 32 users appear to have signed malicious payloads from attackers and some of their NFTs have been stolen.
The attack does not appear to be active at this time, with no malicious activity seen from the attacker’s account for 2 hours. Some NFTs have been refunded. He also said, “I am not aware of any recent phishing emails sent to users, and it is not known at this time which website is tricking users into maliciously signing emails.
When you sign the message, be sure to double check that you are interacting with https://opensea.io in your browser. If you are an affected user, please [email protected]_support so we can investigate thoroughly.