The official Discord channel for OpenSea, the world’s largest NFT marketplace, joined the increasing list of NFT groups that have exposed users to phishing assaults about 4:30AM ET on Friday.
In this example, a bot published a bogus notification about OpenSea collaborating with YouTube, urging visitors to click on a “YouTube Genesis Mint Pass” link to catch one of 100 free NFTs with “crazy utility” before they were gone forever, along with a few follow-up messages. PeckShield, a blockchain security tracking business, identified the URL the attackers connected to as a phishing site, which is currently offline.
While the messages and phishing site are no longer available, one user who claimed to have lost NFTs in the event pointed to this address on the blockchain as belonging to the attacker, allowing us to learn more about what happened next. While that identity is no longer visible on OpenSea’s website, accessing it through Etherscan.io or a competitor NFT marketplace, Rarible, reveals that 13 NFTs were transferred to it from five sources around the time of the attack. They’re currently being reported for “suspicious conduct” on OpenSea and appear to be worth a little more than $18,000 based on their values when last sold.
This type of intermediary assault, in which scammers take advantage of NFT traders trying to profit from “airdrops,” has grown widespread for large Web3 organizations. It’s usual for announcements to arrive out of nowhere, and the blockchain’s nature may give some users motivation to click first and think about the ramifications later.
Aside from the urge to obtain uncommon items, there is also the understanding that waiting can make minting your NFT during a rush considerably slower, more expensive, or even impossible (if you run out of funds during the process). If they’ve left any things or cryptocurrencies in their hot wallet that’s connected to the internet, giving over login information to a phisher might reveal them in seconds.
OpenSea spokesman Allie Mack confirmed, adding, “Last night, an attacker was able to upload malicious URLs in numerous of our Discord channels.” We discovered the malicious links immediately after they were uploaded and took swift action to correct the situation, including the removal of rogue bots and accounts. We also warned our Discord community via our Twitter help channel not to click any links. Since 4:30 a.m. ET, we haven’t noticed any new malicious posts.”
“We continue to actively investigate this attack, and will keep our community apprised of any relevant new information. Our preliminary analysis indicates that the attack had limited impact. We are currently aware of fewer than 10 impacted wallets and stolen items amounting to less than 10 ETH,” says Mack.
OpenSea has not stated how the channel was compromised, but as we described in December, one entry point for this type of attack is the webhooks feature, which corporations frequently use to control the bots in their channels to make posts. If a hacker gains access to or compromises an authorized user’s account, they can use it to send a message and/or URL that looks to be from an official source.
Recent hacks have included one that took $800,000 in blockchain trinkets from the “Rare Bears” Discord, and the Bored Ape Yacht Club revealed on April 1st that its channel had been hijacked. On April 25th, the BAYC Instagram served as a conduit for a similar heist that netted over $1 million in NFTs simply by sending out a phishing link.