A threat actor is reportedly selling a purported critical severity zero-day exploit chain targeting OpenSea for $100,000 USD in Bitcoin or Monero. The listing claims the vulnerability remains unpatched and undisclosed, raising alarms in the NFT community.
The exploit allegedly targets flaws in OpenSea’s Seaport protocol order validation logic across Ethereum Mainnet, Polygon, and Blast networks.
It enables attackers to force-transfer high-value NFTs for zero ETH, bypassing listing approvals and functioning on both active and inactive listings through signature malleability and cross-collection attacks.
The seller provides proof-of-concept code and a live demo upon payment, positioning it as a complete chain capable of instant asset drainage without user interaction.
Dark Web Informer first spotted the listing on underground hacking forums, where the actor markets it as a fresh zero-day with no prior public exploits observed.
No matching thefts have surfaced on-chain, and OpenSea has not issued statements or patches as of February 14, 2026. Skeptics highlight the oddity of selling for $100,000 when self-exploitation could yield millions in NFTs like Bored Ape Yacht Club, suggesting it might be a scam or overblown claim.
NFT holders should immediately revoke all OpenSea approvals using tools like Revoke.cash to block unauthorized transfers. Monitor listings closely for anomalies and avoid interacting with suspicious contracts on affected chains.
While past OpenSea bugs, such as 2022 listing loopholes exploited for $1 million in NFTs, were patched quickly, this unverified threat underscores ongoing risks in DeFi NFT platforms.
This incident echoes historical exploit sales but lacks IOCs like actor handles or forum URLs in public reports. Cybersecurity firms urge vigilance amid rising NFT-targeted zero-days.
OpenSea users represent a high-value pool for such actors, with Seaport’s widespread adoption amplifying potential impact.
Read more on Cyber Security News
