OpenSea Ice-Phishing and Malicious Signature Scams
Criminals construct fake OpenSea listing flows that trick NFT owners into signing EIP-712 orders transferring their assets at zero price. Understanding what OpenSea's genuine listing signature looks like is the key defense.
Part of: Ice Phishing and EIP-712 Signature Scams
Last reviewed: 7 June 2026
OpenSea uses off-chain cryptographic signatures (Seaport protocol orders) for NFT listings. When you list an NFT for sale on OpenSea, you sign a message with your wallet — the signature authorizes OpenSea's contract to transfer the NFT to a buyer at the price and terms you set. This signature-based model is efficient, but it is also exploitable if a user can be tricked into signing an order with fraudulent terms.
Ice-phishing on OpenSea involves presenting victims with a signature request that looks like a standard 'list for sale' workflow but actually contains malicious parameters: a price of zero ETH or a recipient address controlled by the attacker. When the victim signs, they have effectively created a valid listing or transfer order that the attacker can execute immediately.
This attack is especially insidious because the victim interacts with their wallet and signs something — which feels like a normal, secure action — without realizing the parameters of what they signed are harmful. The defense is careful reading of every signature request.
How this scam works on the OpenSea brand
A fake OpenSea-styled interface tells an NFT owner that they need to 'relist their NFT due to a contract migration' or 'sign to confirm ownership' as part of a new verification requirement. The interface presents a MetaMask signature request. The victim, accustomed to signing these in the normal OpenSea listing flow, clicks Sign. The signature is a valid Seaport order transferring the NFT to the attacker for 0 ETH, which the attacker immediately fulfills.
Another version sends victims an email claiming they have received a lucrative offer on their NFT. The email link opens a fake OpenSea offer-acceptance interface. Clicking 'Accept Offer' triggers the malicious signature request.
Genuine OpenSea listing signatures, viewable in the MetaMask signing window, show the specific token being listed, the listing price in ETH, the expiry date, and the OpenSea Seaport contract address as the receiving contract. Any signature request that shows a price of 0 or a recipient address that is not an OpenSea contract should not be signed.
Common red flags
- A signature request showing a price of 0 ETH or 0 of any token for an NFT
- A 'contract migration' or 'ownership verification' workflow appearing outside opensea.io
- A MetaMask signature request for an NFT listing on a site you arrived at via email or DM
- The contract address in the signature does not match OpenSea's known Seaport contract addresses
- An offer acceptance email that links to a non-opensea.io domain
- Pressure to sign quickly because 'the offer expires in minutes'
How to protect yourself
- Read every MetaMask signature request in full — check the listed price and recipient contract address
- Access OpenSea exclusively by typing opensea.io directly or via your saved bookmark
- Never accept or manage offers through links in emails — log in to opensea.io directly
- Verify OpenSea's Seaport contract address at opensea.io/blog/announcements before approving contract interactions
- Use a hardware wallet as the signing layer for your primary NFT wallet — the hardware device screen shows what you are signing
How to report it
- Report the phishing site to OpenSea at support.opensea.io
- Report to IC3.gov (US) or Action Fraud (UK)
- Alert your NFT community on Discord or Twitter to prevent further victims
- Submit the phishing URL to Google Safe Browsing
Frequently asked questions
What is a Seaport order and why is it dangerous if signed incorrectly?
Seaport is the protocol underlying OpenSea trades. A Seaport order is a signed message authorizing a trade. If tricked into signing an order with price 0 and an attacker's address as the 'buyer,' you have effectively gifted them your NFT. The blockchain treats it as a valid completed transaction.
How do I verify the OpenSea contract address is genuine?
OpenSea publishes its official Seaport contract addresses in official blog posts and on its GitHub. Cross-reference the address in the MetaMask request against OpenSea's published contract addresses before signing.
Can I cancel a signed Seaport listing before the attacker fulfills it?
Yes. On OpenSea, you can cancel an active listing through your profile. Cancellation submits an on-chain transaction that invalidates the signed order — but it costs gas and you must act before the attacker fills the order.