OpenSea Warns Users Of Phishing Attacks From Data Breach

Are you a fan of NFTs?  If so, you’ve probably heard of OpenSea, which is the largest marketplace for non-fungible tokens.

If you have an account there, be aware that recently the company disclosed that their network had been breached and they issued a warning to their clients urging them to be on the lookout for possible phishing emails.

Cory Hardman is OpenSea’s head of security. According to Hardman, an employee of, which is the company’s email delivery vendor, downloaded a file containing email addresses that belong to OpenSea users and newsletter subscribers. The precise number of email addresses the attacker made off with was not disclosed.

Mr. Hardman said:

“If you have shared your email with OpenSea in the past, you should assume you were impacted. We are working with in their ongoing investigation, and we have reported this incident to law enforcement.”

This is not the first time OpenSea users have been targeted.  Last year, threat actors impersonating fake support staff successfully absconded with roughly two million dollars (USD) worth of NFTs. Last September (2021) the company addressed a security flaw that allowed attackers to empty an OpenSea user’s cryptocurrency wallets by luring them to click on maliciously crafted NFT artwork.

Although the industry is still in its formative stages, it has grown at a blistering pace. OpenSea is the largest marketplace in the NFT industry. They boast more than 600,000 users and total transactions that surpass $20 billion (USD) which make it a prime target for hackers.

Sadly, this will almost certainly not be the last time OpenSea and other NFT markets find themselves in the crosshairs.

If you have an account there, be on high alert.  Odds are good that the attacker will try to put your email address to malicious use.

Major Data Breach At Robinhood Is Affecting Millions

Do you buy stocks via the no-cost RobinHood platform? If so be advised that the company has recently disclosed a massive data breach estimated to impact more than seven million customers.

The attack against RobinHood’s networks occurred on November 3rd.

It happened after an unidentified threat actor called the company’s customer support line and utilized some in-person social engineering techniques to gain access to the customer support system.

This threat actor was able to access a wide range of customer information including:

  • The full names of clients
  • Email addresses
  • Date of birth
  • And Zip code

Based on the company’s disclosure statement the attacker was able to exfiltrate more than 5 million email addresses, the full name of some two million customers, birth dates, and zip codes for about 300 people. Even more extensive account information was taken for around 10 people.

An investigation into the matter is ongoing at this point. The company does not believe any customer social security numbers, bank account numbers, or debit card numbers were exposed.

On the heels of the attack RobinHood received an extortion demand. The company has declined to make the details of the demand public but the nature of the threat was that unless the company paid a ransom in BitCoin the stolen information would be released to the public.

If you use the platform out of an abundance of caution you should change your password immediately. Be on the lookout for phishing emails sent to the address you used when you signed up on RobinHood in case the attacker tries to contact you to steal other credentials.

Finally if you haven’t already done so the company recommends two-factor authentication as soon as possible. If you need to contact the company for support from inside the RobinHood app simply tap “AccountHelpContact Us.”

Don’t Fall For This Cryptocurrency Giveaway Scam

You know you’ve hit the Big Time when you get a scam named after you. That’s exactly what has happened to Elon Musk. The latest scam that’s making the rounds is called the “Elon Musk Mutual Aid Club” or the “Elon Musk Club” for short.

If you’re an experienced IT professional it is easy to be dismissive of things like this. Few seasoned professionals ever fall for these scams after all.

The truth is that the scammers running these plays have made hundreds of thousands of dollars a day doing it. There are enough people on the web who are susceptible to the social engineering tricks they employ that the scammers can count on regular paydays.

Most scams of this variety have played out in something close to real time on a variety of social media channels. The drama of the Elon Musk Club however is playing out in email accounts around the world.

Although this scam invokes the name of Elon Musk and leverages his cult of personality to entice recipients the scam itself is pretty straightforward. It begins with a phishing email that includes a descriptive and enticing tag line. It reads something to the effect of “Get Free Bitcoin via the Elon Musk Club” or “Join the Elon Musk Club” or similar.

The scammers didn’t waste any time trying to come up with a convincing message for the body of the email. It simply contains a link that points the way to a poisoned website.

This page promises to give you 0.055 to all users who participate. The page contains an “Accept an Invitation” button which brings you to an information capture page. Just give your information away (including a photo of yourself) to sign up!

Except of course when you do you’re just handing personal details to the hackers. What is worse is that before you can get your 0.055 you’ve got to donate 0.001 Bitcoin to another member of the club (supposedly chosen at random).

Naturally when you give the Bitcoin away you never get anything back and the scammers walk away with a tidy sum. Don’t fall for it.

Fake Apps Stealing Info With Current Cryptocurrency Boom

In case you haven’t been paying attention, the Cryptocurrency markets have been booming in recent months. All of the major currencies have now pulled back from their all time highs, but BitCoin shattered several of its own records recently, as did Ethereum, which crested at a price of more than $3,300. Needless to say, this is causing a surge of interest in the ecosystem, and hundreds of thousands of new players are entering the market.

Unfortunately, this has created an irresistible opportunity for scammers. According to stats collected by Lookout, there are now nearly 200 different apps that bill themselves as cryptocurrency mining platforms, and note that most of these aren’t free apps; customers have to pay to install them.

The researchers at Lookout have identified two different families of apps, which they’ve dubbed “BitScam” and “CloudScam.” The BitScam family of apps claim to turn your mobile device itself into a mining platform, while apps in the CloudScam family claim to connect you to Cloud Mining services.

Of the two, BitScam is the larger, with more than 83k installs, but the smaller CloudScam is growing quickly, and currently has nearly 10k installations. None of the apps in either of the families actually have any cryptomining capabilities. In this case, the scammers are simply leveraging the surge in popularity of cryptocurrency in general and lining their pockets by charging for fake apps that don’t actually do anything.

That’s not completely true, though. The one thing they do is collect personal information from the people who install these apps, sending it back to the apps’ controllers, allowing them to profit in multiple ways.

An effort is underway to remove these apps from major app platforms like the Google Play Store, but as of now, there are still more than two dozen of them available there.

If you’re interested in Cryptocurrency, be very careful about what you install. At the moment, there are as many scammy apps out there as there are legitimate ones.