At around 4:30 a.m. ET on Friday, the official Discord channel for OpenSea, the world’s largest NFT marketplace, joined the growing list of NFT communities that have exposed participants to phishing attacks.
In this case, a bot made a false announcement about OpenSea’s partnership with YouTube, enticing users to click a “YouTube Genesis Mint Pass” link to get their hands on one of 100 free “insane utility” NFTs before they would be gone forever, as well as a few follow-up messages. Blockchain Security Tracking Company PeckShield tagged the URL the attackers linked to, “youtubenft[.]art” as a phishing site, which is currently unavailable.
While the messages and phishing site are already gone, a person who said they lost NFTs in the incident pointed to this address on the blockchain as belonging to the attacker so we can see more information about what happened next. While that identity has been blocked on OpenSea’s site, viewing it via Etherscan.io or a competing NFT marketplace, Rarible, reveals 13 NFTs were transferred to him from five sources around the time of the attack. They are also now being reported on OpenSea for “suspicious activity” and appear to be worth just over $18,000 based on their prices at last sale.
This kind of intermediary attack where scammers exploit NFT traders to take advantage of “airdrops” has become common for prominent Web3 organizations. It is common for announcements to appear out of the blue, and the nature of the blockchain may give some users reasons to click first and consider the consequences later.
Aside from the desire to get your hands on rare items, there’s the knowledge that waiting can make your NFT during a rush much slower, more expensive, or even impossible (if you run out of money in the process). If they have left items or cryptocurrency in their hot wallet connected to the internet, coughing up credentials from a phisher can give them away in seconds.
In a statement to The edge, OpenSea spokesperson Allie Mack confirmed the incident, saying: “Last night an attacker was able to post malicious links in several of our Discord channels. We noticed the malicious links shortly after they were posted and immediately took action to remedy the situation, including removing the malicious bots and accounts. We have also warned our community through our Twitter support channel not to click on links in our Discord. We haven’t seen any new malicious messages since 4:30 a.m. ET.”
“We continue to actively investigate this attack and will update our community with any relevant new information. Our preliminary analysis shows that the attack had a limited impact. We are currently aware of less than 10 affected wallets and stolen items worth less than 10 ETH,” said Mack.
Don’t click on links in our Discord.
We continue to investigate this situation and will share information as we have it. https://t.co/jgtHcXifer
— OpenSea support (@opensea_support) May 6, 2022
OpenSea has made no statement as to how the channel was hacked, but as we explained in December, one entry point for this attack style is the webhooks feature that organizations often use to control the bots in their channels to post messages. If a hacker gains access to or compromises an authorized person’s account, he can use it to send a message and/or URL that appears to be from an official source.
Recent attacks include one that stole $800k worth of blockchain trinkets from the “Rare Bears” Discord, and the Bored Ape Yacht Club announced on April 1 that its channel had been compromised. On April 25, the BAYC Instagram served as the channel for a similar heist that grabbed more than $1 million worth of NFTs simply by sending a phishing link.