The hacker’s first post on the announcement channel claimed that OpenSea “has partnered with YouTube to bring its community to NFT Space.”
OpenSea’s non-fungible token (NFT) market experienced a server crash on its main Discord channel when hackers posted fake “Youtube partnership” ads.
A screenshot posted on Friday shows fake news of a collaboration accompanied by a link to a phishing site. The official OpenSea support Twitter account reported that the marketplace’s Discord server was hacked Friday morning and warned users not to click on links in the channel.
The hacker’s first post on the announcement channel claimed that OpenSea “has partnered with YouTube to bring its community to NFT Space.” project for free.
It looks like the attacker was able to stay on the server for a significant amount of time before the OpenSea staff was able to regain control. In an attempt to instill “fear of missing out” on victims, the hacker posted additions to the original scam ad, repeating the false link and claiming that 70% of the offer had already been minted.
The scammer also tried to lure OpenSea users by claiming that YouTube would provide “crazy utilities” to those claiming NFTs. They claim that this offer is unique and that there will be no more rounds to participate, which is typical for scammers.
On-chain data shows 13 wallets that appear to have been compromised at the time of writing, with the most valuable stolen NFT being the Founders’ Pass, worth around 3.33 ETH or $8,982.58.
According to initial reports, the attacker used webhooks to access server controls. A webhook is a server-side plugin that allows other software to receive real-time information. Webhooks are increasingly being used as an attack vector by hackers due to their ability to send messages from official server accounts.
Related: Monkey-themed phishing attacks are on the rise, experts warn
OpenSea Discord isn’t the only server being exploited with webhooks. Several well-known NFT collecting channels, including Bored Ape Yacht Club, Doodles and KaijuKings, were compromised in early April by a similar vulnerability that allowed a hacker to use official server accounts to post phishing links.