Thursday September 29, 2022

OpenSea’s official Discord was compromised in a Phishing attack that stole at most $18k worth NFTs

Friday at 4:30 AM ET, the official Discord channel of OpenSea, the largest NFT marketplace in the world, joined the growing number of NFT communities that have been exposed to phishing attacks. A bot created a fake announcement about OpenSea’s partnership with YouTube. It enticed users to click on the “YouTube Genesis Mint Pass” link to get one of 100 NFTs with “insane utilit” before they were gone forever. There were also a few follow up messages. PeckShield, a blockchain security tracking company, tagged the URL that the attackers linked, “youtubenft[. PeckShield, a blockchain security tracking company, tagged the URL the attackers linked, “youtubenft[.]].”
The messages and phishing site have been deleted. However, one victim who claimed they lost NFTs in an incident pointed to this address as belonging to the attacker. We can now see more details about what happened next. Although that identity has been blocked by OpenSea, it can still be viewed via Etherscan.io and a rival NFT marketplace, Rarible. It shows 13 NFTs that were transferred to it from five sources at the time of attack. OpenSea has also reported them for “suspicious activities” and they are estimated to be worth just over $18,000 based on their last sale prices.
The phishing message as seen on Discord.Image by Richard Lawler / Discord

A screenshot of the thief as seen on Rarible.Image by Richard Lawler/Rarible.com

Web3 organizations have become well-versed in this type of intermediary attack, where scammers exploit NFT traders looking to profit from “airdrops”. Announcements can appear out of nowhere, and some users may be tempted to click the first link and then consider the consequences.
There’s more to it than the desire to grab rare items. Waiting can make minting your NFT in a rush slower, more costly, or even impossible if funds run out. If they have cryptocurrency or items in their hot wallet that is connected to the internet, then giving login details to a hacker could allow them to give them away in a matter of seconds.
Allie Mack, OpenSea spokesperson, stated that an attacker was able “last night” to post malicious links in Discord channels. We immediately noticed the malicious links shortly after they were posted. We also took immediate action to correct the situation, including removing malicious accounts and bots. We also alerted our Discord community via Twitter to warn them not to click on any links. Since 4:30 AM ET, we have not seen any malicious posts.
“We are continuing to investigate the attack and will keep our community informed of any new information. Our preliminary analysis shows that the attack had minimal impact. Mack says that we are aware of less than 10 wallets that were impacted and stolen items totaling less than 10 Ethereum.

Please do not click on links in our Discord. We are still investigating this situation and will share any information we find. https://t.co/jgtHcXifer– OpenSea Support (@opensea_support) May 6, 2022

OpenSea has yet to comment on the hacking of the channel. However, as we explained in December the webhooks feature is a common entry point for this type of attack. Organizations often use it to control bots in their channels and make posts. Hackers can access the account of an authorized user to send messages and URLs that appear to be from official sources.
Recent attacks include one that took $800k worth blockchain trinkets from “Rare Bears” Discord. The Bored Ape Yacht club announced that its channel was compromised on April 1. The BAYC Instagram was used as a conduit to a similar heist on April 25th. It snagged more that $1 million worth NFTs by simply sending out a link.

Leave a Reply

Your email address will not be published.

Back to Top
%d bloggers like this: