Nonfungible token (NFT) marketplace OpenSea suffered a server breach on its main Discord channel, with hackers posting fake "Youtube partnership" announcements.
A screenshot shared Friday shows fake collaboration news, accompanied by a link to a phishing site. OpenSea Support's official Twitter account tweeted that the marketplace's Discord server was breached Friday morning and warned users not to click links in the channel.
The hacker's initial post, published in the announcements channel, claimed that OpenSea had “partnered with YouTube to bring their community into the NFT Space." It also said that they would c-release a mint pass with OpenSea that would allow holders to mint their project for free.
It appears that the intruder was able to stay on the server for a considerable length of time before OpenSea staff was able to regain control. In an attempt to instill "fear of missing out" in the victims, the hacker reposted follow-ups to the initial fraudulent announcement, rehashing the phony link, and claiming that 70% of the supply had already been minted.
The scammer also attempted to entice OpenSea users by stating that YouTube would provide "insane utilities" to those who claimed the NFTs. They are claiming that this offer is unique and that there would be no further rounds to participate, which is typical of fraudsters.
On-chain data shows 13 wallets that seem to have been compromised as of writing, with the most valuable stolen NFT being a Founders' Pass worth around 3.33 ETH or $8,982.58.
Initial reports suggest that the intruder used webhooks to access server controls. A webhook is a server plugin that allows other software to receive real-time information. Webhooks have been used increasingly as an attack vector by hackers because they provide the ability to send messages from official server accounts.
Related: Ape-themed airdrop phishing scams are on the rise, experts warn
The OpenSea Discord is not the only server to be exploited via webhooks. Several prominent NFT collections' channels, including Bored Ape Yacht Club, Doodles and KaijuKings, were compromised in early April with a similar vulnerability that allowed the hacker to use official server accounts to post phishing links.