Key Takeaways
OpenSea confirmed a vulnerability in its Discord Server Friday morning.
A hacker directed users to mint fake “YouTube Genesis Mint Passes” from a phishing link.
On-chain data shows that losses from the hack are currently small, with only six users losing NFTs so far.
Share this article
The OpenSea Discord server was hacked early Friday morning. A series of posts from a compromised OpenSea Discord server bot directed users to mint a “YouTube Genesis Mint Pass” from a phishing link.
OpenSea Discord Server Hacked
The Discord of the largest NFT marketplace has been hacked.
A tweet from the official OpenSea Support Twitter confirmed that a there was a vulnerability in the marketplace’s Discord server Friday morning.
The hacker’s first post, which appeared in the announcements channel at 4:04 am UTC, stated that OpenSea had “partnered with YouTube to bring their community into the NFT space.” The post went on to say that the partnership would include the release of 100 “YouTube Genesis Mint Passes” that would allow holders to mint collaborative projects for free. The post ended with a link to a fake minting website designed to trick users into signing a transaction that would give the hacker the ability to transfer NFTs out of their wallet.
It appears that the hacker was able to maintain their presence on the server for some time before OpenSea employees were able to regain control. The hacker succeeded in posting follow-ups to the initial fake announcement, reposting the fake link and stating that 70% of the supply had already been minted in an attempt to induce “fear of missing out” in unsuspecting users.
On-chain data from Etherscan shows that the losses from the hack are currently small. In total, only six wallets appear to have been affected so far, with the most valuable NFT stolen being a ConiunPass with a market value of around 0.84 ETH or $2,300.
Early reports suggest that the hacker exploited the OpenSea Discord server’s webhooks to gain access to server controls. A webhook is a server plugin that provides other applications with real-time data. While webhooks serve a useful function, they have increasingly been used as an attack vector by hackers as they allow messages to be sent to users from official server accounts.
The OpenSea Discord server is not the only one to recently fall victim to a webhooks attack. At the start of April, the Discords of several prominent NFT collections, including Bored Ape Yacht Club, Doodles, and KaijuKings, were compromised using a similar exploit, allowing a hacker to post phishing links using official server accounts.
This story is breaking and will be updated as more information is available.
Special thanks to HttpPwnHub for identifying the hacker’s wallet.
Disclosure: At the time of writing this piece, the author owned ETH and several other cryptocurrencies.
Share this article
The information on or accessed through this website is obtained from independent sources we believe to be accurate and reliable, but Decentral Media, Inc. makes no representation or warranty as to the timeliness, completeness, or accuracy of any information on or accessed through this website. Decentral Media, Inc. is not an investment advisor. We do not give personalized investment advice or other financial advice. The information on this website is subject to change without notice. Some or all of the information on this website may become outdated, or it may be or become incomplete or inaccurate. We may, but are not obligated to, update any outdated, incomplete, or inaccurate information.
You should never make an investment decision on an ICO, IEO, or other investment based on the information on this website, and you should never interpret or otherwise rely on any of the information on this website as investment advice. We strongly recommend that you consult a licensed investment advisor or other qualified financial professional if you are seeking investment advice on an ICO, IEO, or other investment. We do not accept compensation in any form for analyzing or reporting on any ICO, IEO, cryptocurrency, currency, tokenized sales, securities, or commodities.
See full terms and conditions.