OpenSea Discord hack goes to show that even the biggest NFT marketplaces can’t keep their channels safe from scammers.
On Friday morning, scammers gained access to the official Discord for the popular NFT marketplace, netting just under $20k in NFTs.
Hackers accessed the official Discord server of popular NFT marketplace OpenSea on Friday morning, sending a bot message to trick users into visiting a fake website that looked like YouTube, but was actually set up to steal crypto wallet data.
In this case, a bot announced that OpenSea had partnered with YouTube, enticing users to click on a link to claim one of 100 free NFTs with “insane utility” before they were gone forever, as well as a few follow-up messages. According to blockchain security tracking company PeckShield, the URL the attackers linked to, “youtubenft[dot]art,” is now unavailable and has been tagged as a phishing site.
In recent years, prominent Web3 organisations have suffered from this kind of intermediary attack, which exploits traders looking to take advantage of “airdrops”. Unexpected announcements are common in the cryptocurrency market, and some users click first and consider the consequences later.
“Serpent,” the pseudonymous developer of the Discord hack-detection software Sentinel, was the first to make public the OpenSea Discord hack.
Several OpenSea discord users claim their NFTs were stolen.
“my two nfts stollen. thief’s address 0x5Bf15Af9B432b3ea4bbF5B219A77b788CE83d113 where is the support?”
A user asked while tagging a community manager.
“The thief’s OS account and nfts in his account seems have not been marked yet, please stop slow mode” the message continued.
OpenSea’s support account posted on Twitter on Friday morning that it was investigating a “potential Discord vulnerability.”
It urged users not to click on links in the Discord channel. “We are continuing to investigate this situation and will share information as we have it.” An admin posted a similar message in the OpenSea Discord.
A common entry point for this style of attack is the webhooks feature used by organizations to control bots in their channels. Hackers can use compromised accounts to send messages and / or URLs that appear to be from an authorised source.
On April 1st, the Bored Ape Yacht Club announced that its channel had been hacked, resulting in the theft of $800k worth of blockchain trinkets from the “Rare Bears” Discord. A phishing link sent out on the BAYC Instagram on April 25th led to the theft of $1 million worth of NFTs.