NFT Security · OpenSea · Phishing

NFT & OpenSea Phishing: How Collectors Lose Everything

Q: How do NFT phishing scams work?

Most NFT phishing attacks trick you into signing a malicious message or transaction that gives an attacker permission to transfer your NFTs. Common vectors: fake OpenSea offer notifications, hijacked Discord servers with fake mint links, and fake airdrop sites that require connecting your wallet.

Q: What is a setApprovalForAll attack?

setApprovalForAll is a function that gives a contract permission to transfer ALL NFTs from a specific collection. Phishing sites trick users into signing this transaction for a malicious contract. Once approved, the attacker can transfer every NFT in that collection from your wallet instantly.

Q: Can I recover NFTs stolen in a phishing attack?

In most cases, no. NFT transfers on the blockchain are irreversible. OpenSea can freeze stolen NFTs from being listed for sale, which reduces the attacker's ability to profit, but the NFT remains in their wallet. Prevention is the only reliable protection.

One wrong signature can empty your entire NFT collection in seconds. Here's what that looks like, where the attacks come from, and what actually stops them.

You get an email from OpenSea — looks exactly like every other one they've sent you. Something about a required contract migration. You click the link, connect your wallet, sign what looks like a routine verification. Minutes later your entire collection is gone.

That's what the January 2022 OpenSea drains actually looked like. Not a protocol vulnerability. Not a code exploit. Fake emails, a convincing phishing site, and users who signed something without reading what it authorized. NFTs are worth more per wallet than most token positions — one successful phishing attempt against the right collector can be worth more than a hundred token drains combined, which is why attacks on collectors have gotten more deliberate and more polished over time.

The most common NFT phishing methods

—Fake offer notifications — emails that look exactly like OpenSea offers, linking to a fake site that requests a malicious signature
—Compromised Discord servers — attackers take over project Discord servers and post fake mint links in announcements
—Fake airdrop sites — "you've been airdropped an NFT, connect your wallet to claim" — the claim transaction is a drain
—Counterfeit collection listings — fake versions of popular collections on OpenSea with near-identical names and images
—setApprovalForAll phishing — sites that ask you to "verify" or "sync" your wallet, which triggers a full-collection approval transaction

Why setApprovalForAll is the most dangerous transaction in NFTs

Every NFT collection contract includes a function called setApprovalForAll. When you call it with a spender address and approved: true, that address can transfer any NFT from that collection out of your wallet — forever, until you revoke it.

OpenSea uses this legitimately to let you list NFTs without approving each transfer individually. But phishing sites trigger the same function for attacker-controlled contracts. Once signed, the attacker can move your entire collection in a single follow-up transaction. The approval itself costs almost no gas, which is why it's the preferred attack vector.

If MetaMask shows you an "Approve for All" or "Set Approval for All" prompt on a site you navigated to from a Discord link or email — reject it immediately.

Practical protection habits

—Bookmark opensea.io and never navigate to it through links — phishing URLs differ by a single character
—Treat every Discord announcement with a link as suspect — verify in official channels before clicking anything
—Read MetaMask carefully before signing — if it says "setApprovalForAll" and you didn't initiate a listing, reject it
—Audit your approvals regularly on revoke.cash — remove any collection approvals you didn't intentionally grant
—For high-value NFTs, use a cold wallet — store them in an address you never use for minting or new projects

Frequently asked questions

How do NFT phishing scams work?

Phishing attacks trick you into signing a transaction or message that gives an attacker permission to transfer your NFTs. Common vectors are fake OpenSea emails, compromised Discord servers with fake mint links, and fake airdrop claim sites.

What is a setApprovalForAll attack?

setApprovalForAll grants a contract permission to transfer your entire NFT collection. Phishing sites disguise this as a routine action. Once signed, the attacker can drain your whole collection in one follow-up transaction with no further input from you.

Can I recover NFTs stolen in a phishing attack?

Almost never. Blockchain transfers are irreversible. OpenSea can freeze stolen NFTs from resale, but the asset stays in the attacker's wallet. Prevention — reading approvals carefully, using cold wallets, avoiding Discord links — is your only real protection.

Catch setApprovalForAll requests before you sign them

TxnGuide explains every MetaMask transaction in plain English — including NFT approval requests. It flags when a site is asking for full-collection access and tells you whether the spender contract is verified. Free Chrome extension.

Get TxnGuide — It's Free