Discord Hacking is the Newest Threat For NFT Buyers

One compromised admin account led to two projects being scammed in a day. From a report: On Tuesday, December 21st, two NFT projects fell victim to the same attack. Like many projects in the crypto world, the NFT collection Monkey Kingdom and in-game asset marketplace Fractal both engaged heavily with their communities through Discord chat servers. Both projects were about to distribute rewards to their community members: Monkey Kingdom through an NFT presale on the day of the 21st and Fractal through a token airdrop -- essentially a free distribution to early supporters -- a few days later. Then, disaster struck. Posts appeared in the official "announcements" channel of each project claiming that a surprise mint would reward community members with a limited edition NFT. Hundreds jumped at the chance -- but for those who followed the links and connected their crypto wallets, a costly surprise was waiting. Rather than receiving an NFT, wallets were being drained of the Solana cryptocurrency, which both projects used for purchases.

In the space of an hour, a Twitter post, first from Monkey Kingdom and then from Fractal, informed followers that their Discord servers had been hacked; news of the NFT mints was bogus, the links a phishing fraud. In the case of Fractal, the scammers got away with about $150,000 worth of cryptocurrency. For Monkey Kingdom, the estimated total was reported to be $1.3 million. Neither attack targeted the blockchain or the tokens themselves. Instead, the thieves exploited weaknesses in the infrastructure used to sell the tokens -- specifically, the Discord chatrooms where NFT fans gather. It's a reminder of a persistent weakness in the growing NFT economy, where surprise drops have primed buyers to move fast or risk missing out. But the same techniques that hype up a sale can also open the door to hackers -- and in this case, a single compromise can end up spreading to more than one community at once. In this case, the NFTs thieves had targeted a feature known as a webhook. Webhooks are used by many web applications (Discord included) to listen for a message sent to a particular URL and trigger an event in response, like posting content to a certain channel. By gaining access to webhooks belonging to the Fractal and Monkey Kingdom Discord servers, the hackers were able to send messages that were broadcast to all members of certain channels: a feature meant to be used only for official communications from the project teams. This was where the fake "announcement" had come from and why it had pointed to a scam address. In hindsight, the content should have raised some red flags -- but given the distribution method, it looked just legitimate enough that many were fooled.

Only winning move...

[Anonymous Coward]

...is not to play.

Enough already

[TurboStar]

Can we get a crypto/nft category? This garbage seems to be every third post and I want to filter it.

Re:

[Fly Swatter]

When I go to the exclusion list under options, the list is completely blank. I don't think exclusions work anymore for any topic at all. It's like we are in minimum maintenance mode until everyone leaves or dies off :(

Re:

[Luthair]

I suggest updating the icon to a turd.

Re:

[Black Parrot]

Can we get a crypto/nft category? This garbage seems to be every third post and I want to filter it.

I need glasses. I read that as "a cryptogrift category".

Re:

[mmdurrant]

I'd say you've read the situation clearer than most.

I created a new wallet

[PPH]

connected their crypto wallets, a costly surprise was waiting. Rather than receiving an NFT, wallets were being drained of the Solana cryptocurrency

... just for this transaction. It only contains the agreed-upon amount of the payment. And once the exchange is completed, the NFT will be transferred to some other (private) wallet which I will not be stupid enough to connect to untrusted persons.

why is it implemented in browser

[RegistrationIsDumb83]

I don't understand why these newer chains are implemented as *browser plugins*. It seems so much more obviously safer to have a standalone app like classic Bitcoin, where every spend is manually confirmed. The idea of some website api controlling your wallet automatically seems astounding dumb.

Re:

[Fly Swatter]

Easy access for the younger generations. Well, easier to take their money

Re:

[fuzzyfuzzyfungus]

I wouldn't be surprised if there is an element of arrogance and people who actually think that their implementations are good enough for the purpose; but the most compelling logic would seem to be convenience and low friction.

Whether you are a conman looking for a steady supply of fresh marks, or a true believer looking for expansion, you aren't going to get that by hoping that the supply of nerds willing to put up with user-unfriendly safety features is going to increase fast enough for your purposes: y

Fuck NFTs and Fuck Bitcoin

[TheMiddleRoad]

It's the stupidest shit ever. It makes the gold standard look like good economics and tulip bulbs look wise.

Also it fucks with the environment. Thanks, cucks.

Re:

[freeze128]

Cryptocurrency thefts and NFT thefts are object lessons in security. The victims might whine a little, but I bet next time, they will take more precautions...

Re:

[h33t l4x0r]

Oh yeah, so what's the lesson? Don't use Discord webhooks?

Re:

[Applehu Akbar]

The gold standard WAS good economics in the time before technology began increasing the net wealth available to all, roughly at the start of the 19th century. After that there was a long series of periodic financial crises caused by insufficient money supply, leading to national currencies replacing their gold standards with central bank management of a fiat money supply.

Scams Either Way

[Luthair]

Either you're getting scammed by the "real" guy, or you're getting scammed by a third party. Either way you're taking the shaft.

FTFY

[humankind]

It's a reminder of a persistent weakness in the growing NFT economy, where surprise drops have primed buyers to move fast or risk missing out.

You mean the persistent weakness of people being retarded morons thinking they can get rich quick with something that is utterly useless.

OP doesn't explain how the scam worked.

[xvan]

Can somebody explain how opening your wallet to receive an NFT allows the "phishers" to drain the wallets? That makes no sense... even if they scam was making them "pay" for those tokens, how were they completely drained?

Re:

[Powercntrl]

Can somebody explain how opening your wallet to receive an NFT allows the "phishers" to drain the wallets?

It was an old fashioned confidence scam. The scammers convinced the marks that in order to receive their NFTs, the marks would need to "register" (provide both the public and private wallet keys) their crypto wallets on a server controlled by the scammers.

You'd think people would know better, but some people get stupid when they think they're getting something valuable for free. Which reminds me, I've got this brand new 2022 Tesla Model S in storage and I really need the space back for storing my tulip bu

Re:

[kaatochacha]

The scammers convinced the marks that in order to receive their NFTs, the marks would need to "register" (provide both the public and private wallet keys)

Just...wow.

Yet more crypto snakeoil !!!

[takionya]

Yet more crypto snakeoil !!!