Opensea’s official Discord server was hacked on Friday morning. A bot made a fake announcement about Opensea, and YouTube partnering up and offered a link to a “YouTube Genesis Mint Pass” offering 100 free NFTs.
The messages and the phishing site have already been taken down, but one user who lost NFTs in the incident has pointed to a specific address on the blockchain as being the attacker’s. OpenSea has blocked the address’ account but viewing it on Rarible reveals 13 NFTs that were transferred from five sources around the time of the attack.
The NFTs have been reported on OpenSea for “suspicious activity”. Based on their last prices, the net value of all stolen pieces is over $18,000.
Blockchain security company PeckShield tagged the phishing site — youtubenft.art. OpenSea has also acknowledged the hack and is currently investigating the situation, with more information coming as they discover more.
In a statement to The Verge, OpenSea spokesperson Allie Mack reported that preliminary analysis shows less than 10 wallets impacted and the stolen items being under 10 ETH as well. Whether or not the impacted customers will be reimbursed in any form is unknown yet.
These kinds of attacks aren’t exactly new. Only recently, the BAYC’s official Instagram account was hacked in a similar fashion where the attacker posted a phishing link from the official Instagram channel, tricking users into losing more than $1 million worth of NFTs.
OpenSea hasn’t issued a statement on how the attack was carried out, but one possible entry point for this type of attack can be the webhooks that organisations use to control bots to send messages and make posts in Discord channels. This lets the attacker gain access to an authorised account, later using it to send messages that appear to be coming from an official source but are just targetted attacks.
Someone who writes/edits/shoots/hosts all things tech and when he’s not, streams himself racing virtual cars. You can reach out to Yadullah at [email protected], or follow him on Instagram or Twitter.