At around 4:30 a.m. ET on Friday, the official Discord channel for OpenSea, the world’s largest NFT marketplace, joined the growing list of NFT communities that have exposed participants to phishing attacks.
In this case, a bot made a false announcement about OpenSea’s partnership with YouTube, enticing users to click a “YouTube Genesis Mint Pass” link to get their hands on one of 100 free “insane utility” NFTs before they would be gone forever, as well as some follow-up messages. Blockchain Security Tracking Company PeckShield tagged the URL the attackers linked to, “youtubenft[.]art” as a phishing site, which is currently unavailable.
Although the messages and phishing site are already gone, one person said they lost NFTs in the incident point to this address on the blockchain as the attacker’s property so we can see more information about what happened next. While that identity is blocked on OpenSea’s site, viewing it via Etherscan.io or a competing NFT marketplace, rare, shows that 13 NFTs were transferred to it from five sources around the time of the attack. They are also now being reported on OpenSea for “suspicious activity” and appear to be worth just over $18,000 based on their prices at last sale.
This kind of intermediary attack where scammers exploit NFT traders to take advantage of “airdrops” has become common for prominent Web3 organizations. It is common for announcements to appear out of the blue, and the nature of the blockchain may give some users reasons to click first and consider the consequences later.
Aside from the desire to get your hands on rare items, there’s the knowledge that waiting can make your NFT during a rush much slower, more expensive, or even impossible (if you run out of money in the process). If they have left items or cryptocurrency in their hot wallet connected to the internet, coughing up credentials from a phisher can give them away in seconds.
In a statement to Custom Hour, OpenSea spokesperson Allie Mack confirmed the incident, saying: “Last night an attacker was able to post malicious links to several of our Discord channels. We noticed the malicious links shortly after they were posted and immediately took down measures to remedy the situation, including removing the malicious bots and accounts. We have also warned our community through our Twitter support channel not to click on links in our Discord. We have not seen any new malicious messages since 4:30 a.m. ET .”
“We continue to actively investigate this attack and will update our community with any relevant new information. Our preliminary analysis shows that the attack had a limited impact. We are currently aware of less than 10 affected wallets and stolen items worth less than 10 ETH,” said Mack.
OpenSea has made no statement as to how the channel was hacked, but as we explained in December, one entry point for this attack style is the webhooks feature that organizations often use to control the bots in their channels to post messages. If a hacker gains access to or compromises an authorized person’s account, he can use it to send a message and/or URL that appears to be from an official source.
Recent attacks include one that: stole $800k from the blockchain trinkets of the “Rare Bears” Discord, and the Bored Ape Yacht Club announced on April 1 that its channel had been compromised. On April 25, the BAYC Instagram served as the channel for a similar heist that seized more than $1 million worth of NFTs by sending a phishing link.