The recently launched NFT project Rare Bears came under attack after a hacker posted a phishing link on the project’s Discord channel, stealing nearly $800,000 worth of NFT.
Analysis by blockchain security firm Peckshield detailed that the attacker was able to steal 179 NFTs, including Rare Bears and other NFTs from various collections, including CloneX, Azuki, an “mfer” by artist sartoshi, and 6 LAND tokens used for The Sandbox metaverse.
According to on-chain analysis, most of the NFTs were sold, netting the hacker 286 ETH, worth over $795,500, most of which was quickly placed through Tornado Cash, a cryptocurrency mixer used to obfuscate the origin of funds.
There have been a number of similar phishing scams on Discord in recent months, suggesting that some teams need to consider the security of admin accounts more carefully.. Earlier today, the Rare Bears team posted that they have hired security consultant and auditor “Pandez” to perform a full security audit of their Discord channel.
How the attack happened
According to one update Posted by the Rare Bears team, the hacker accessed the account of a Rare Bears Discord moderator known as “Zhodan”, posting an announcement within the group’s channel announcing that a new NFT mint was in the works.
Of course, it was a fake: it was a phishing link designed to steal funds from users’ wallets.
Warning @BearsRare
Discord has unfortunately been compromised. Please DO NOT click any links, connect your wallet and block all incoming DMs in our discord. Our team are working on the situation as we speak— Rare Bears (@BearsRare) March 17, 2022
Warning, @BearsRare. Our Discord channel has been compromised. Please DO NOT click on any links, connect your wallets and block all incoming DMs on our discord. Our team is working on the situation as we speak.
The security audit update discovered that the project manager’s Discord account was compromised. The attacker, using the compromised account, banned other members, or removed their roles from the server, thus removing their ability to remove the posted phishing link.
Next, The attacker invited a bot that blocked all channels on the server, eliminating the possibility of others publicly communicating that the posts and links were fake.
Rare Bears said the team was able to regain control of the server, deleting the compromised account and transferring ownership to a new one. and that the server is safe from another attack.
Speaking to Cointelegraph, security consultant Pandez said users should be on the lookout for some key signs that could mean a message is a scam.
“Hardly any serious project will ever do a sneak mint,” Pandez said, “don’t ever click on any link that comes up like that.”
Pandez said other alerts are if channels are blocked during a “drop” of a new NFT collection, if the link differs from those shared on Twitter or other official project sources, and if the link is continuously published in the channel.
Attacks of a similar nature have occurred on Discord in the past. In December, Solana’s NFT project Monkey Kingdom announced that hackers made off with $1.3 million in cryptocurrency funds from the community following a security breach. The attackers also posted a phishing link that emptied users’ wallets.
Last November, members of popular NFT artist Beeple’s Discord channel were also scammedas the attackers accessed a moderator’s account to post a phishing link, similarly draining users’ funds.
Keep reading:
Investments in crypto assets are not regulated. They may not be suitable for retail investors and the full amount invested may be lost. The services or products offered are not aimed at or accessible to investors in Spain.