OpenSea, the leading marketplace for nonfungible tokens, or NFTs, said Friday that it is "actively investigating" a breach of its main Discord channel.
"Do not click links in our Discord," the company tweeted. "We are continuing to investigate this situation and will share information as we have it."
'Malicious Links'
The hackers posted a notice of a fake YouTube partnership announcement that included a link to a phishing site.
OpenSea said in a statement that "an attacker was able to post malicious links in several of our Discord channels."
"We noticed the malicious links soon after they were posted and took immediate steps to remedy the situation, including removing the malicious bots and accounts," the company said. "We also alerted our community via our Twitter support channel to not click any links in our Discord. We have not seen any new malicious posts since 4:30am ET."
The company said a preliminary investigation indicated the attack had "limited impact"
"We are currently aware of fewer than 10 impacted wallets and stolen items amounting to less than 10 ETH," the statement said. "We continue to actively investigate this attack, and will keep our community apprised of any relevant new information. "
Ethereum prices were down about 2% to $2,701.54, at last check.
'A Simple Phishing Attack'
Kate Kurbanova, Co-founder and COO of the risk management platform Apostro, said the OpenSea Discord hack is "a simple phishing attack, probably one of the admins got hacked or added a malicious bot by mistake--or even the bot itself was exploited."
"The malicious bot got admin rights to post in the announcement channel and posted links to the phishing website," she said. "It’s a pretty common vector of attack - the best way to prevent it is by securing admin accounts with 2FA (two-factor authentication) and similar practices, as well as monitoring all managing bots and rights once every couple of weeks.”
Hugo Lee, CEO of global digital asset management platform Haru Invest, said that “fast growth attracts hackers. With explosive growth of the NFT market last year, hacking issues are increasing, just like what the DeFi market experienced in 2020 and 2021. Hacking methods are changing too - from attacks on the Hot Wallet via Smart Contracts to hacking company’s email or discord and sending out phishing links.”
“With mass adoption of crypto and NFT on the way, organizations need to pay more attention in creating a secure environment for users," Lee said. "For DeFi and NFT companies, a 3rd party Smart Contract Audit or DeFi Audit should be considered."
For CeFi companies, he added, "protecting digital assets on the Hot Wallet is the priority - we could say that companies that use the Cold Wallet for asset management tend to be safer.
'Users Have to A Role to Play'
“Users have a role to play as well," Lee said. "Two factor authentication is a must and need to be aware of phishing links as they may activate Hot Wallet or set up smart contracts."
"Bruhh wen this hak will stop @elonmusk you should buy @discord too lol," commented one person, referring to Tesla (TSLA) CEO Elon Musk's $44 billion deal to acquire Twitter (TWTR).
This is not the first time OpenSea is victim of a hack.
In February, OpenSea said it was investigating a scam targeting users of its NFT platform.
The hacker(s) stole several NFTs and had already sold a few for ethereum worth $1.7 million, according to CEO Devin Finzer.
OpenSea made Time Magazine's (TIME) list of the 100 Most Influential Companies in March.
OpenSea began accepting ApeCoin, the main token for the Bored Ape Yacht Club ecosystem and the main currency required in the metaverse game experience Otherside.
In January, OpenSea raised $300 million in new venture funding, led by venture capital firms Paradigm and Coatue, valuing the company at $13.3 billion.