THELOGICALINDIAN - Another Discord server has collapsed victim to a webhooks exploit
The OpenSea Discord server was afraid aboriginal Friday morning. A alternation of posts from a compromised OpenSea Discord server bot directed users to excellent a “YouTube Genesis Excellent Pass” from a phishing link.
OpenSea Discord Server Hacked
The Discord of the better NFT exchange has been hacked.
A tweet from the official OpenSea Support Twitter accepted that a there was a vulnerability in the marketplace’s Discord server Friday morning.
The hacker’s aboriginal post, which appeared in the announcements approach at 4:04 am UTC, declared that OpenSea had “partnered with YouTube to accompany their association into the NFT space.” The column went on to say that the affiliation would accommodate the absolution of 100 “YouTube Genesis Excellent Passes” that would acquiesce holders to excellent collaborative projects for free. The column concluded with a articulation to a affected minting website advised to ambush users into signing a transaction that would accord the hacker the adeptness to alteration NFTs out of their wallet.
It appears that the hacker was able to advance their attendance on the server for some time afore OpenSea advisers were able to achieve control. The hacker succeeded in advertisement follow-ups to the antecedent affected announcement, reposting the affected articulation and advertence that 70% of the accumulation had already been minted in an attack to abet “fear of missing out” in biting users.
On-chain abstracts from Etherscan shows that the losses from the drudge are currently small. In total, alone six wallets arise to accept been afflicted so far, with the best admired NFT baseborn actuality a ConiunPass with a market value of about 0.84 ETH or $2,300.
Early letters advance that the hacker exploited the OpenSea Discord server’s webhooks to accretion admission to server controls. A webhook is a server plugin that provides added applications with real-time data. While webhooks serve a advantageous function, they accept more been acclimated as an advance agent by hackers as they acquiesce letters to be beatific to users from official server accounts.
The OpenSea Discord server is not the alone one to afresh abatement victim to a webhooks attack. At the alpha of April, the Discords of several arresting NFT collections, including Bored Ape Yacht Club, Doodles, and KaijuKings, were compromised application a agnate exploit, acceptance a hacker to column phishing links application official server accounts.
This adventure is breaking and will be adapted as added advice is available.
Special acknowledgment to HttpPwnHub for anecdotic the hacker’s wallet.
Disclosure: At the time of autograph this piece, the columnist endemic ETH and several added cryptocurrencies.
