Fake OpenSea Wallet-Drainer Scams
Attackers build convincing OpenSea clones or inject malicious signature requests into NFT listings to drain connected wallets. OpenSea will never ask you to sign a transaction unrelated to a specific sale or purchase you initiated.
Part of: Wallet Drainer Scams
Last reviewed: 7 June 2026
OpenSea is one of the largest NFT marketplaces, and its wallet-connect model — where users connect MetaMask or another wallet to browse and trade NFTs — creates a fertile environment for wallet-draining attacks. Unlike custodial platforms, OpenSea does not hold funds on behalf of users; all transactions go through users' own wallets, which means every interaction carries direct financial risk.
Fraudulent actors impersonate OpenSea through look-alike sites, fake listing notifications, and manipulated smart contract interactions. The goal is always to obtain a signature that transfers valuable NFTs or tokens from the victim's wallet to the attacker's address — often completed in a single transaction before the victim realizes anything is wrong.
Understanding the real OpenSea transaction flow helps identify attacks. When you list an NFT on the genuine OpenSea, you sign an off-chain order with MetaMask or your connected wallet. When you buy, you sign a transaction approving the specific asset transfer. At no point does a legitimate OpenSea interaction ask for your wallet's seed phrase or request approval to move all assets simultaneously.
How this scam works on the OpenSea brand
A scam email with OpenSea branding notifies the user that their NFT has received an offer and provides a 'View Offer' button. The link leads to a convincing OpenSea clone where clicking 'Accept Offer' triggers a MetaMask signature request that actually executes `setApprovalForAll`, granting the attacker's contract authority over every NFT in the user's collection.
A second common scenario involves fake OpenSea minting pages promoted through Discord or Twitter. The page invites users to connect their wallet and mint a new NFT. The mint transaction is actually a wallet drainer that transfers ETH and all approved tokens or NFTs.
OpenSea sends transactional emails notifying users of offers and purchases, but these emails direct users to opensea.io — not to any third-party link. The real OpenSea interface clearly shows the contract address and what is being signed before any transaction is confirmed. A legitimate sale or purchase approval always relates to a specific item or a specific ETH amount, never an unlimited blanket approval for an unfamiliar contract.
Common red flags
- An email notification of an NFT offer that links to a domain other than opensea.io
- A MetaMask `setApprovalForAll` request triggered by clicking 'Accept Offer' or 'Claim' on a site
- A minting page promoted via Discord DM or Twitter reply that connects to your wallet
- A site visually identical to OpenSea but with a different URL (e.g., opensea-offers[.]io, opensea-mint[.]com)
- A request to sign an 'OpenSea migration' or 'Seaport update' on a third-party site
- An approval request for an unlimited token or NFT amount from a contract you have not previously used
How to protect yourself
- Access OpenSea only by typing opensea.io directly or using a saved bookmark — never via links in emails or DMs
- Check MetaMask's transaction details carefully before confirming — verify the contract address against opensea.io's known contracts
- Revoke unnecessary OpenSea approvals periodically using Revoke.cash
- Never click 'Accept Offer' via an email link — log in to opensea.io directly to review any offers
- Avoid minting from pages you arrived at via Discord DM or Twitter reply without verifying the official project URL first
- Use a separate wallet address with minimal holdings for browsing and minting from unfamiliar projects
How to report it
- Report the phishing site to OpenSea at support.opensea.io
- Report to IC3.gov (US) or Action Fraud (UK)
- Report fake OpenSea social media accounts or posts to the relevant platform
- Submit the phishing domain to Google Safe Browsing and PhishTank
Frequently asked questions
I accepted what turned out to be a fake offer and my NFTs were taken. Can OpenSea reverse it?
Blockchain transactions are irreversible. OpenSea cannot undo a transaction you authorized, even if it was obtained through fraud. Contact OpenSea support to report the theft and flag the receiving address; they may be able to block associated accounts.
What does 'setApprovalForAll' mean in a MetaMask request?
SetApprovalForAll is an ERC-721 function that grants a specific contract permission to transfer any NFT from your wallet in that collection. Legitimate use is for OpenSea's own contracts to facilitate sales — but attackers use it to drain entire NFT collections at once.
How can I tell if an OpenSea email is genuine?
Genuine OpenSea emails come from @opensea.io addresses and link only to opensea.io. Check the sender address carefully and hover over any links to verify the destination before clicking.