The recent spate of hacking of NFT projects through the social media platform Discord indicates that many of them are either connected or are part of a larger string of attacks, according to an analysis by blockchain intelligence firm, TRM Labs.
The firm’s review of more than 15 notable Discord hacks targeting NFT servers and a detailed analysis of on-chain and off-chain data suggested many of the Discord compromises targeting NFT projects showed similar patterns of behavior, with hackers using an array of tactics to scam Discord users.
Such attacks have increased significantly over the past few months and the NFT community has lost as much as US $22 million since May. In June, phishing attacks linked to NFT minting scams deployed through compromised Discord accounts increased by 55% as compared to that in the previous month, according to TRM Labs.
Over 100 reports of Discord channel hacks have been filed in the past two months, according to Chainabuse, a community-led scam reporting platform operated by TRM Labs. At least ten accounts compromises targeting NFT Discord channels occurred on June 4th and some projects, such as Bored Ape Yacht Club (BAYC), were also hacked twice.
The hackers used sophisticated social engineerings such as phishing and fraudulent accounts pretending to be an administrator. They exploit bot vulnerabilities such as the Mee6 bot, which allows admins to automatically give and remove roles and send messages to the community.
In some cases, the attackers even updated administrator settings to ban Discord moderators from interfering with the operations of the hackers. The latter’s messages to users have routinely attempted to tap into the sense of urgency typically associated with NFT minting events, prompting users to act quickly in order to avoid missing out on a free giveaway or limited inventory.
While the recent hacks examined by TRM Labs appear to be related, the rate at which these hacks are occurring and spreading across multiple blockchains also suggested that there could be separate but coordinated efforts by different ‘threat actors’ running these scams at scale.
The targeting of multiple blockchains – Ethereum-based projects as well as ones on Solana in recent weeks – indicated many of these Discord account compromises were likely run by a group of hackers or as a Scam-as-a-Service offering, in which a ‘threat actor’ provides the tools and services to others and facilitate the running of a scam.
As with traditional scams, once a community of ‘threat actors’ or operators understand the basic mechanism ranging from deception to execution, the community of illicit actors can scale up that activity by reusing the services or practices. According to TRM Labs, this is likely happening with a variety of ‘threat actors’ specifically targeting Discord servers and NFT projects.
Some of the linked hacks included well-known NFT Discord project accounts such as BAYC, Bubbleworld, Parallel, Lacoste, Tasties, Anata and a dozen other accounts. The hackers purposefully targeted users, who were already holders of valuable NFT. They advertise with alluring lines like a “BAYC, MAYC, and Otherside EXCLUSIVE Giveaway” and also post promotional material to the account’s Discord community. The hackers also provide a fraudulent link with those messages that prompted users to send a minting fee in ETH.
Vulnerable users clicked on the fraudulent link and then attempted to connect their crypto wallets in order to send the minting fee in ETH. In reality, the ETH went straight to the fraudster’s wallet address and the transaction compromised the crypto wallets of the victims, which also executes fraudulent transfers of NFT to the wallet of the attackers.
The victims, while accepting the prompt to connect their wallets, are usually unaware that the connection is setting a ‘SetApprovalForAll’ or similar call function to their wallets, thereby enabling the attackers to employ an approval mechanism targeting ERC-721 tokens, which are also known as NFT. Once the wallets of the victims are compromised, NFT from each compromised account was moved into a single wallet tied to the phishing link.