At around 4:30 a.m. ET on Friday, the official Discord channel for OpenSea, the world’s largest NFT marketplace, joined the growing list of NFT communities that have exposed participants to phishing attacks.
In this case, a bot made a fake advertisement about OpenSea’s partnership with YouTube, enticing users to click on a “YouTube Genesis Mint Pass” link to get one of 100 free NFTs with “amazing utility” before they disappear forever, as well as some follow-up messages. Blockchain Security Tracking Company PeckShield tagged the URL the attackers linked to, “youtubenft[.]art” as a phishing site, which is now unavailable.
While the messages and the phishing site are gone, one person who said he lost NFT in the incident pointed out that this address on the blockchain belonged to the attacker, so we can see more about what happened next. While that identity has been blocked on the OpenSea site, viewing it through Etherscan.io or a competing NFT marketplace, Rarible, shows that 13 NFTs were transferred from five sources around the time of the attack. They’re also now being reported on OpenSea for “suspicious activity,” and based on their prices when they were last sold, they appear to be worth a little over $18,000.
:format(webp):no_upscale()/cdn.vox-cdn.com/uploads/chorus_asset/file/23442103/fake_opensea_youtube.jpg)
:format(webp):no_upscale()/cdn.vox-cdn.com/uploads/chorus_asset/file/23442099/opensea_phishing_rarible.jpg)
This type of man-in-the-middle attack in which scammers exploit NFT traders looking to capitalize on “airdrops” has become common for prominent Web3 organizations. It’s common for ads to appear out of nowhere, and the nature of the blockchain can give some users reason to click first and consider the consequences later.
Beyond the desire to snag rare items, there is the knowledge that waiting can make minting your NFT in a pinch much slower, more expensive, or even impossible (if you run out of funds in the process). If they have left items or cryptocurrency in your hot wallet that is connected to the internet, then handing over your login details to a phisher could reveal them in seconds.
In a statement to the edge, OpenSea spokeswoman Allie Mack confirmed the incident, saying: “Last night, an attacker was able to post malicious links on several of our Discord channels. We became aware of the malicious links shortly after they were posted and took immediate action to remedy the situation, including removing the malicious bots and accounts. We also alert our community via our Twitter support channel not to click on any links in our Discord. We have not seen any new malicious posts since 4:30 am ET.”
“We continue to actively investigate this attack and will keep our community abreast of any relevant new information. Our preliminary analysis indicates that the attack had a limited impact. We are currently aware of less than 10 affected wallets and items stolen for less than 10 ETH,” says Mack.
Do not click on links in our Discord.
We are continuing to investigate this situation and will share information as we have it. https://t.co/jgtHcXifer
— OpenSea Support (@opensea_support) May 6, 2022
OpenSea has not made a statement about how the channel was hacked, but as we explained in December, one entry point for this style of attack is the webhooks feature that organizations often use to control bots on their channels to post. If a hacker gains access to or compromises someone’s authorized account, they can use it to send a message and/or URL that appears to come from an official source.
Recent hacks include one that stole $800,000 worth of blockchain trinkets from “Rare Bears” Discord, and the Bored Ape Yacht Club announcing that their channel had been compromised on April 1. On April 25, BAYC’s Instagram served as the conduit for a similar heist that netted more than $1 million in NFT just by sending a phishing link.