OpenSea, the primary marketplace for buyers and sellers of non-fungible tokens (NFTs), has reported major problems with its Discord support channel. How major? Well, there’s a “potential vulnerability” which allowed spambots to post phishing links to other users. A problem that lead OpenSea Support to declare “please do not click any links in the Discord.”
There’s no further information on how this occurred, but situations like this can happen if a channel’s administrator gets phished. If Discord had suffered a software vulnerability we would expect to see other channels being compromised too.
The spam messages originate from something called “Carl-Bot”. Discord channels typically make use of bots for low-level admin duties, general assistance and so on. Carl-Bot itself is a common sight across Discord, with lots of time saving features. Sadly, spamming phish links is not supposed to be one of them.
If Carl-Bot was present in the channel prior to the compromise, its purpose has been changed and not for the better. Here’s some of the spam Carl-bot was pushing out:
The spam message reads as follows:
We have partnered with YouTube to bring their community into the NFT space, and we’re releasing a mint pass with them that will allow holders to mint their project for free along with getting other insane utilities for being a holder of it.
The bot then mentions the limited supply of free items it is definitely, absolutely giving away to “fortunate” individuals:
You are able to get this mint pass below for 100% free. There will only be 100 of these however, once they are gone they won’t be coming back.
You can mint the YouTube Genesis Mint Pass here for free [url removed]
Fear of missing out (FOMO) is a huge driver in the NFT space, with the emphasis on scarcity of supply and rare, non-replicable items. In addition to that, YouTube has previously announced intentions to move into the NFT space. Seeing messaging like the above in the official OpenSea support Discord is bound to trick a lot of enthusiasts.
The scam site recedes into the distance
Here’s the site as it looked a few short hours ago:
The site right now is a blank page save for mention of a Twitter account, which has no content or likes posted to it. It could be the calling card of whoever did this, or it could be misdirection on the part of the site owner. Either way, Malwarebytes blocks the URL in question.
This is a developing story and information is thin on the ground. Having said that, there are still some things to keep in mind:
- You can often avoid scams like these with a little common sense. Even a trusted Discord channel can turn rogue if someone compromises the right account. But would a rare, NFT-themed giveaway only be referenced in this one channel and nowhere else? It seems unlikely.
- Use 2FA and a password manager. We don’t know what the phishing page was trying to obtain, but it will be something valuable, which probably means cryptocurrency or Discord logins. You can make it harder to steal your Discord login by using a password manager and two-factor authentication (2FA). While 2FA tokens can be phished, it sets a higher bar for scammers to clear, and a password manager will not enter your password into a phishing site.
Protecting your cryptocurrency
Protecting your cryptocurrency is all about keeping your private cryptographic keys and recovery phrases private. If you control them, you decide what happens to your money and what transactions to make. If somebody else controls them, they get to decide. Sites or random Discord accounts asking for recovery phrases should be avoided, as you risk losing all your funds for good.
The safest way to keep your keys safe is to store them offline, in a “cold wallet” that isn’t connected to the Internet. Even if you do that, your coins aren’t safe if you willingly send them to somebody though. Don’t send funds to Bitcoin addresses promising to double your payment, no matter which celebrity appears to be endorsing it.