Around 4:30AM ET on Friday, the official Discord channel for OpenSea, the world’s largest NFT marketplace, joined the growing list of NFT communities that have exposed participants to phishing attacks.

In this case, a bot made a fake announcement about OpenSea partnering with YouTube, enticing users to click on a “YouTube Genesis Mint Pass” link to snag one of 100 free NFTs with “insane utility” before they’d be gone forever, as well as a few follow-up messages. Blockchain security tracking company PeckShield tagged the URL the attackers linked, “youtubenft[.]art” as a phishing site, which is now unavailable.

While the messages and phishing site are already gone, one person who said they lost NFTs in the incident pointed to this address on the blockchain as belonging to the attacker, so we can see more information about what happened next.

While they have unique markers, one is functionally identical to another. NTFs, meanwhile, represent unique digital assets that people can’t duplicate or directly exchange with another of equal value.

What Does NFT Ownership Really Mean?

The result is that NFTs are a fun idea, in theory. Instead of a fungible asset like physical cash that can be broken into its component parts and still retain value, NFTs have unique properties that can’t be altered.
One of the most popular mediums for NFTs is art; digital representations of physical images that go to the highest bidder. As noted by the New York Times, one of these tokenized JPGs recently sold for $69 million dollars.

What’s important to note is that owning an NFT doesn’t confer ownership of the physical asset itself. It only confers ownership of the unique digital token.

Justin Tayler confirmed that the account had been hacked and locked it down.

Zeneca, who has since gotten access to his account back, claims he has no idea of how the hack took place. In a Twitter thread, he said he had two-factor authentication (2FA) enabled using Google Authenticator, and even speculated that this could be an inside job.

Web3 security analyst Serpent also asked Tayler to do an internal investigation, saying that “way too many high profile accounts (with authenticator 2FA) have been getting hacked recently.”

The hack came shortly after the Bored Ape Yacht Club creator Yuga Labs warned the NFT community in a Monday tweet about “a persistent threat group that targets the NFT community.”

“We believe that they may soon be launching a coordinated attack targeting multiple communities via compromised social media accounts.

If they’ve left any items or cryptocurrency in their hot wallet that’s connected to the internet, then coughing up login details to a phisher could give them away in seconds.

In a statement to The Verge, OpenSea spokesperson Allie Mack confirmed the incident, saying, “Last night, an attacker was able to post malicious links in several of our Discord channels. We noticed the malicious links soon after they were posted and took immediate steps to remedy the situation, including removing the malicious bots and accounts. We also alerted our community via our Twitter support channel to not click any links in our Discord.
We have not seen any new malicious posts since 4:30am ET.”

“We continue to actively investigate this attack, and will keep our community apprised of any relevant new information. Our preliminary analysis indicates that the attack had limited impact.

Let us find out more about the individual challenges, vulnerabilities, and security risks evident for NFTs in present times.

  • Challenges of Ownership: With the introduction of NFTs, the concept of asset ownership was redefined. But due to the limitation of storage capacities, it was impossible to store NFT images in the blockchain. Instead, it started storing an identifier of the hash of the image or the web address in the blockchain.

    The users have to use an identifier for accessing the NFT on 3rd party platforms. So if the 3rd party platform which is minting your NFT faces cyber-vulnerabilities or goes out of business, you will lose access to the NFT, and the NFT will lose its value.

  • Cyber Security and Identity Fraud: This is an issue that can happen to any online entity, especially when it has a specific monetary value.

As of this writing, it seems like a compromise of the private keys of our hot wallet and not a bug in the Roll smart contracts or any token contracts,” they said.

As the investigation continues, with an audit and a forensic analysis announced, Roll said that they have temporarily disabled withdraw from the Roll wallet of all social money until the hot wallet has been migrated. They also announced a USD 500,000 fund “to help the creators and their communities affected by this.”

They provided the attacker contract and the attacker contract creator address, with a balance of nearly USD 2m in ETH.

Rather than receiving an NFT, wallets were being drained of the Solana cryptocurrency, which both projects used for purchases.

In the space of an hour, a Twitter post, first from Monkey Kingdom and then from Fractal, informed followers that their Discord servers had been hacked; news of the NFT mints was bogus, the links a phishing fraud. In the case of Fractal, the scammers got away with about $150,000 worth of cryptocurrency. For Monkey Kingdom, the estimated total was reported to be $1.3 million.

Neither attack targeted the blockchain or the tokens themselves.
Instead, the thieves exploited weaknesses in the infrastructure used to sell the tokens — specifically, the Discord chatrooms where NFT fans gather. It’s a reminder of a persistent weakness in the growing NFT economy, where surprise drops have primed buyers to move fast or risk missing out.

On Tuesday, December 21st, two NFT projects fell victim to the same attack. Like many projects in the crypto world, the NFT collection Monkey Kingdom and in-game asset marketplace Fractal both engaged heavily with their communities through Discord chat servers. Both projects were about to distribute rewards to their community members: Monkey Kingdom through an NFT presale on the day of the 21st and Fractal through a token airdrop — essentially a free distribution to early supporters — a few days later.

Then, disaster struck.
Posts appeared in the official “announcements” channel of each project claiming that a surprise mint would reward community members with a limited edition NFT. Hundreds jumped at the chance — but for those who followed the links and connected their crypto wallets, a costly surprise was waiting.

They are stored as hash images or just as web addresses as a medium via media. You will need an identifier to view your NFT on a platform run by a third party. So, an individual purchasing an NFT would not be purchasing the actual image but an identifier.
Such an identifier can take the user to the Interplanetary File System (IPFS), which opens several possibilities for attacks.

This was precisely the case with OpenSea, where the Wyvern Protocol, which allocates signatures to NFT owners for trading on the platform, was duplicated to steal the assets.

NFTs trading platforms such as Nifty Gateway and Open Sea store the keys to all the digital assets. One can only imagine the havoc it can create when cyberattacks compromise such platforms. One such attack on Nifty occurred in March 2021 and exposed the risks involved.

We are currently aware of fewer than 10 impacted wallets and stolen items amounting to less than 10 ETH,” says Mack.

Do not click links in our Discord.

We are continuing to investigate this situation and will share information as we have it.

— OpenSea Support (@opensea_support) May 6, 2022


Discord hacking is the newest threat for NFT buyers

OpenSea has not made a statement about how the channel was hacked, but as we explained in December, one entry point for this style of attack is the webhooks feature that organizations often use to control the bots in their channels to make posts.

But in the case of NFTs, these values are variable and depend on several factors such as the number of a particular NFT created, the support of the community, when these tokens were created, etc.

On the positive side, NFTs provide better control over your digital assets and improve cyber assets’ liquidity. But, concerns over their security and vulnerabilities remain, especially with significant cyberattacks on NFT trading platforms such as OpenSea, where hackers recently stole more than 250 NFTs, leading to losses worth $1.7 million.

Case Example of Open Sea and Nifty Gateway

Since NFTs are at an initial stage of growth and people still understand their functionality and usability, they provide a perfect opportunity for malicious hackers to steal from the digital community.

The biggest issue is with the process of ownership and storage of NFTs.

Similar Posts:

Leave a comment