Earlier this week, if you Googled “OpenSea” looking for the eponymous NFT marketplace, you might have found what looks like the site right at the top of Google. It turns out that result, which was a paid Google Ad placement, was actually a phishing site seemingly designed to steal victims’ digital wallets, Motherboard has found.
Hacking. Disinformation. Surveillance. CYBER is Motherboard's podcast and reporting on the dark underbelly of the internet.
OpenSea is the most popular peer-to-peer marketplace for buying and selling NFTs, making it a juicy target for hackers who want to hijack peoples’ cryptocurrency or NFTs to perhaps sell for a profit. “The NFT marketplace with everything for everyone,” its website reads.On Wednesday, a Motherboard editor searched the phrase “opensea" on Google. The top result was for “OpenSea, the largest - NFT marketplace.” The URL, however, was opensun.io/open, a slight tweak on the site’s actual URL. Following that link redirected a visitor to a different site, this time with the URL www-opeensea.io, with a subtle ‘WWW’ and extra ‘E’ added.
That site looked largely identical to the real OpenSea site. But clicking seemingly any link on www-opeensea.io brought up a prompt for the visitor to link their digital wallet, be that a Coinbase wallet or something else. Presumably, the idea here was for whichever malicious party was running this phishing site to then access that wallet and try to empty it.
Google stopped displaying the phishing site in its search results after Motherboard contacted both Google and OpenSea itself on Wednesday. The www-opeensea.io domain was registered with a company called NameSilo. NameSilo told Motherboard in an email “Thank you for letting us know. This domain had not been reported before this email. We have now taken down the domain. The domain was registered on October 18th, 2021 and perhaps the attack started very recently.”
OpenSea claimed it learned of the phishing site the day before.“OpenSea vigilantly monitors for malicious and impersonating websites and takes swift action to protect the community when we detect them. We became aware of the websites in question yesterday, immediately reported them to various hosts and administrators, and have since confirmed the ads have been taken down,” an OpenSea spokesperson told Motherboard in an email.A Google spokesperson told Motherboard in an email that “This behavior directly violates our policy against phishing ads that attempt to mislead users. We have suspended the account and will continue to aggressively enforce these policies to prevent future bad actors.”Last week, researchers at cybersecurity firm Check Point published a blog post laying out how hackers used Google Ads to run phishing sites that targeted potential users of the Phantom and MetaMask wallets. Check Point said the hackers had generated at least a half a million dollars from the scheme.Subscribe to our cybersecurity podcast CYBER, here. Subscribe to our new Twitch channel.
Do you know about any other NFT scams? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, or email firstname.lastname@example.org.