OPENSEA

DESCRIPTION OF EVENTS

"The world’s first and largest digital marketplace for crypto collectibles and non-fungible tokens (NFTs). Buy, sell, and discover exclusive digital items." "Discover, collect, and sell extraordinary NFTs. OpenSea is the world's first and largest NFT marketplace."

"As the first and largest marketplace for Non-Fungible Tokens and Semi-Fungible Tokens, OpenSea provides a first-in-class developer platform consisting of an API, SDK, and developer tutorials. Feel free to browse around and get acclimated with developing smart contracts and interacting with NFT data."

"Fascinated by the [CryptoKitties] movement that was forming, Devin Finzer and Alex Atallah joined early adopter communities in Discord and started talking to users. With the OpenSea beta launch in December 2017, the first open marketplace for any non-fungible token on the Ethereum blockchain was born."

"Valued at $13 billion in a recent funding round, OpenSea has become one of the most valuable companies of the NFT boom, providing a simple interface for users to list, browse, and bid on tokens without interacting directly with the blockchain."

"Carl Bot makes it easy for you to control your channel’s activities and moderate members." "A Carl Bot is a digital handyman you add to your Discord server to manage menial tasks for you. For example, you want to drop a message every time someone enters or leaves. Or you wish to keep the authority of banning members to yourself. You can do both with a Carl Bot. The bot essentially allows you to preset welcome messages, assign roles to selected members, give customized commands, log activities, and perform tons of other useful actions. In other words, Carl Bot can save your time."

"Several Discord servers for the NFT marketplace OpenSea were hacked Thursday night by a scammer promoting a fake project, the company said." "Initial reports suggest that the intruder used webhooks to access server controls. A webhook is a server plugin that allows other software to receive real-time information. Webhooks have been used increasingly as an attack vector by hackers because they provide the ability to send messages from official server accounts."

"Around 4:30AM ET on Friday [May 6th], the official Discord channel for OpenSea, the world’s largest NFT marketplace, joined the growing list of NFT communities that have exposed participants to phishing attacks." "A partnership with a site as large as YouTube would almost surely increase traffic, but OpenSea has not made any such announcements yet."

"The hacker's initial post, which was published in the announcements channel, claimed that OpenSea had “partnered with YouTube to bring their community into the NFT Space." It also said that they would c-release a mint pass with OpenSea that would allow holders to mint their project for free." "A screenshot shared Friday shows fake collaboration news, accompanied by a link to a phishing site."

"In this case, a bot made a fake announcement about OpenSea partnering with YouTube, enticing users to click on a “YouTube Genesis Mint Pass” link to snag one of 100 free NFTs with “insane utility” before they’d be gone forever, as well as a few follow-up messages. Blockchain security tracking company PeckShield tagged the URL the attackers linked, “youtubenft[.]art” as a phishing site, which is now unavailable."

"The spam messages originate from something called "Carl-Bot". Discord channels typically make use of bots for low-level admin duties, general assistance and so on. Carl-Bot itself is a common sight across Discord, with lots of time saving features. Sadly, spamming phish links is not supposed to be one of them." "If Carl-Bot was present in the channel prior to the compromise, its purpose has been changed and not for the better."

"Important announcement: We have partnered with YouTube to bring their community into the NFT Space, and we're releasing a mint pass with them that will allow holders to mint their project for free along with getting other insane utilities for being a holder of it. You are able to get this mint pass below for 100% free. There will only be 100 of these however, once they are gone they won't be coming back and you will have to purchase off the Opensea market place. Congratulations to those who get one. You can mint the YouTube Genesis Mint Pass here for free: https://youtubenft.art/"

"The issue came to light when several users flagged the matter on Twitter. Crypto influencer, who goes by the name Serpent on Twitter, flagged the issue first." "The breach was first publicized on Twitter by "Serpent," the pseudonymous developer of Sentinel, which is software for detecting Discord hacks aimed at crypto investors." "An OpenSea spokesperson said in a statement to Fortune that the company has taken actions against the scammer or scammers and hasn’t seen any malicious posts since 4:30 a.m. ET. Less than 10 digital wallets were affected, and the NFTs stolen were worth less than 10 Ether, or about $26,903, as of Friday, they added."

"We are currently investigating a potential vulnerability in our Discord, please do not click on any links in the Discord," tweeted OpenSea on Friday. "Do not click links in our Discord. We are continuing to investigate this situation and will share information as we have it."

"PeckShieldAlert posted the image of the same website with an alert warning people of the possible attempt by hackers to steal their private key, tricking users into giving them token approval and/or buying scam tokens."

"We noticed the malicious links soon after they were posted and took immediate steps to remedy the situation, including removing the malicious bots and accounts. We also alerted our community via our Twitter support channel to not click any links in our Discord,” an OpenSea spokesperson said.

"OpenSea told Fortune that it was actively investigating the hack on its Discord and would keep its community updated with new information." In a statement to The Verge, OpenSea spokesperson Allie Mack confirmed the incident, saying, “Last night, an attacker was able to post malicious links in several of our Discord channels. We noticed the malicious links soon after they were posted and took immediate steps to remedy the situation, including removing the malicious bots and accounts. We also alerted our community via our Twitter support channel to not click any links in our Discord. We have not seen any new malicious posts since 4:30am ET.”

"[H]ackers stole a relatively smaller bounty of $26,903." "On-chain data shows 13 wallets that seem to have been compromised as of writing, with the most valuable stolen NFT being a Founders' Pass worth around 3.33 ETH or $8,982.58."

"A few users in OpenSea's discord said that NFTs were stolen from them." "My two nfts have been stollen because of this hack." "[M]y two [NFT]s stollen. [The ]thief's address [is] 0x5Bf15Af9B432b3ea4bbF5B219A77b788CE83d113[. W]here is the support?" one user wrote, tagging a community manager. "The thief's OS account and nfts in his account seems have not been marked yet. please stop slow mode." "OpenSea said that it was aware of fewer than 10 wallets that were impacted and that some items were stolen, adding up to a total value of less than 10 ETH ($27,000)."

"The wallet address identified by that user and another who said they had NFTs stolen from them had 13 NFTs transferred to it on Friday morning—none from high-value collections—worth just under $20,000 if the stolen NFTs are sold at their collections' floor price. It also holds $93.50 in ETH. The address has not been marked on Etherscan as a phishing address, and Motherboard could not verify it beyond Discord users' reports."

"The site right now is a blank page save for mention of a Twitter account, which has no content or likes posted to it. It could be the calling card of whoever did this, or it could be misdirection on the part of the site owner. Either way, Malwarebytes blocks the URL in question." "The site has since been wiped and currently only displays text reading: "@allah on Twitter." That account was created in February, has no tweets, and is following no-one."

"While the messages and phishing site are already gone, one person who said they lost NFTs in the incident pointed to this address on the blockchain as belonging to the attacker, so we can see more information about what happened next. While that identity has been blocked on OpenSea’s site, viewing it via Etherscan.io or a competing NFT marketplace, Rarible, shows 13 NFTs were transferred to it from five sources around the time of the attack. They’re now also reported on OpenSea for “suspicious activity” and, based on their prices when last sold, appear to be worth a little over $18,000."

“Our preliminary analysis indicates that the attack had limited impact,” an OpenSea spokesperson said.

Explore This Case Further On Our Wiki

OpenSea is one of the best known NFT marketplaces globally. They used the Carl Bot to assist with managing their Discord channel. Early in the morning on Friday, May 6th, their Discord channel was overtaken by Carl Bot and used to publish multiple phishing scam links, which announced a partnership with YouTube and encouraged users to mint rare NFTs with high utility. In the end, damages were reported at $26,903 USD. It's unclear if any of that has ever been recovered.

HOW COULD THIS HAVE BEEN PREVENTED?

The primary issue was related to the security of the Discord server, which granted additional unnecessary permissions to the Carl Bot. Careful consideration needs to be given to the access level of every bot employed on a Discord server.

NFT traders can avoid falling victim to such fraud by not making rushed decisions, double checking any promotions against multiple sources, and avoiding any mints that seem to be too good to be true.

Check Our Framework For Safe Secure Exchange Platforms

OpenSea Discord groups hacked with NFTs worth about $27,000 stolen | Fortune (Jul 17)
Hackers Use Discord Bot to Infiltrate NFT Channels in Phishing Attack (Nov 24)
@NFTherder Twitter (Nov 24)
@Serpent Twitter (Nov 25)
Hackers hijacked the OpenSea Discord with a fake YouTube NFT scam - The Verge (Nov 25)
@opensea_support Twitter (Nov 25)
OpenSea Discord server hacked, users warned to be vigilant of phishing scams (Nov 25)
@WuBlockchain Twitter (Nov 25)
@lackingtalent Twitter (Nov 25)
OpenSea Discord hacked; Hackers promote scam NFTs - BusinessToday (Nov 25)
@opensea_support Twitter (Nov 25)
@BoredBrosCom Twitter (Nov 25)
https://opensea.io/assets/0xacadb3c6290392f59f45dddacca8add2cec24366/136 (Nov 25)
https://opensea.io/assets/0xacadb3c6290392f59f45dddacca8add2cec24366/137 (Nov 25)
OpenSea Suffers Discord Exploit Promoting YouTube NFT Scam - Decrypt (Nov 25)
Warning: OpenSea Discord hacked using a YouTube phishing site link (Nov 25)
Opensea Confirms Discord Hack As Spambots Promote "YouTube" NFTs (Nov 25)
The Block: OpenSea Discord server hacked to promote scam NFT pass (Nov 25)
Address 0x5Bf15Af9B432b3ea4bbF5B219A77b788CE83d113 | Etherscan (Nov 25)
OpenSea Discord Hacked, NFTs Stolen Using Fake YouTube Site (Nov 25)
OpenSea warns of Discord channel compromise (Nov 25)
What is Carl Bot - Everything You Need to Know (Nov 25)
@PeckShieldAlert Twitter (Nov 25)

More case studies

Tsim Sha Tsui
Businessmen Robbed

Gutter Cat Gang Clone
Phishing Attack Seth Green