According to tweets from users and security firm PeckShield, OpenSea’s Discord service was hacked to push a fraud.
“We are presently researching a potential vulnerability in our Discord,” said OpenSea. “Please do not click on any links on the Discord.”
The access appears to have been exploited to advertise a phony NFT mint. As per the screenshots from different individuals, a Discord server announcement stated that a mint pass was being issued in partnership with YouTube. It sent users to a page that had the name YouTube but was not the actual YouTube website. The URL has been detected as a phishing site by PeckShield.
The invader appeared to have been able to stay on the server for a long time before OpenSea technicians were able to recover control. The hacker was successful in posting follow-ups to the first false announcement, reiterating the phony link, and stating that 70% of the supply had already been coined in an attempt to induce “fear of missing out” among victims.
The fraudster also tried to persuade OpenSea users by stating that anyone who claimed the NFTs would receive “crazy utilities” from YouTube. They state that this offer is one-of-a-kind and that there will be no more rounds to engage in, which is typical of con artists.
In the announcements channel, the hoax message was disseminated. Users can no longer access this channel.
At least 13 OpenSea users compromised
As of this writing, on-chain data indicates that 13 wallets have been infiltrated, with the most valued NFT taken being a Founders’ Pass worth about 3.33 ETH ($8,982.58).
According to initial reports, the hacker exploited webhooks to get access to server controls. A webhook is a server plugin that allows other applications to get real-time data from the server.
Hackers are increasingly using webhooks as an attack vector since they allow them to send messages using official server accounts.
The OpenSea Discord server isn’t the only one that uses webhooks. In early April, many popular NFT collections’ channels, including Bored Ape Yacht Club, Doodles, and KaijuKings, were hacked, allowing the hacker to utilize official server accounts to publish phishing emails.