Scammer creates a fake site to revoke wallet permissions, then pretends there is an OpenSea vulnerability to trick people into using it

April 6, 2022

Scammer creates a fake site to revoke wallet permissions, then pretends there is an OpenSea vulnerability to trick people into using it

Tweet by grantith.eth, reading "HUGE OPENSEA ISSUE You MUST go check on revote.site if you have the OpenSea API allowance, if yes you should revoke for your NFTs! I just lost a $100k Azuki so ALWAYS check and don't make the same mistake. Share it to save someone NFTs.

A tweet falsely claiming an OpenSea vulnerability, linking to a scam permission revocation website (attribution)

It's not exactly straightforward to revoke wallet permissions once they've been granted, and so many users use a site called revoke.cash to remove permissions in the case of malicious contracts or as a precautionary measure. A clever scammer created a fake website that mimics revoke.cash, called revoke.site, and then used a verified Twitter account to tweet about a "huge OpenSea issue" that they claimed resulted in the loss of a pricey NFT. Hoping that people would panic and try to use the site to revoke permissions, in reality the website runs a script to determine the highest value assets, and then prompts the user to "revoke" permissions for those assets — when in reality, it sets approval for those assets to be transferred to the scammer's wallet. As of the evening of April 7, the wallet had received 13 NFTs, and flipped eight of them for a total profit of 4.9 ETH (~$16,000).

Scam wallet on Etherscan
Tweet thread by 0xQuit