When blockchain assets are talked about, it is typical to say they are super-secure. After all, a blockchain is nothing more than an encrypted and distributed database, but formed in a time-stamped chain. Meaning, that to tamper with the record, one would have to form a new chain, a hard fork branching off the old one.
However, blockchain’s immutable nature is not shared by the wider internet. To know that certain cryptocurrencies and NFTs even exist, one has to take advantage of social media channels. Unfortunately, they don’t share blockchain’s security, which leaves them wide open to hackers. Alongside Twitter, Discord has been notorious for facilitating crypto scams in a variety of ways.
Discord — A Major NFT Vulnerability
It is safe to say Discord is a major upgrade from the classic internet forums. Users can create either private or public servers to form communities for a wide range of interactions: chat, VoIP, video conferencing, and instant messaging. Each type of interaction can be customized to create a unique feel of the forum.
In essence, Discord is a one-stop-shop for online engagement, if one needs a greater degree of control. However, one could go back to this January to see what this could mean. At the beginning of the year, it became apparent how easy it is to abuse Discord.
CityDAO is a unique project attempting to tokenize real-world assets. In their case, it is real estate in Wyoming. Each land parcel is documented as an NFT, which could then be used as legal ownership down the line. On their discord channel, a scammer issued such an NFT drop worth Ξ29.67 (~$95k). Why would others think it was a legitimate NFT drop?
Because the hacker compromised the moderator account, so they could pose as a legit drop.
A nearly identical incident happened one month prior, in December 2021. NFT platform Fractal.is, operated by Justin Kan, got hacked via an announcement bot instead of a moderator. The bot then sent a link to 100,000 discord channel members, announcing a new NFT drop with the promise of accessing 3,333 commemorative NFTs for the platform.
In that scenario, the trick was simple. The link actually switched “i” for “l”, so the fake URL was fractal.ls. Diverting to a fraudulent website posing as the real one is the staple of phishing.
In the end, the Fractal scammer got away with $150k worth of cryptocurrencies. Whether a bot or a moderator, in both instances, discord members were fooled into thinking that something real and legitimate was happening. Those who fell for it got swindled.
Bored Ape Bot Hacking
It is apparently much easier to hack discord bots. Case in point, Bored Ape Yacht Club (BAYC) had to make an official Twitter announcement to warn that advertised NFTs are fake. The recipe is standard:
- hack a bot
- promise a moon
- lead to a fake website where the pilfering of private info takes place
One of such hacked bots announced the following:
“Oh no, our dogs are mutating. MAKC can be staked for our $APE token. Holders of MAYC + BAYC will be able to claim exclusive rewards just by simply minting and holding our mutant dogs.”
This is a reference to the recent ApeCoin launch into the wallets of existing Mutant Kennel and Mutant Ape NFT holders. Unfortunately, the users who clicked on the link the bot provided were led to a fake NFT minting in exchange for ETH currency.
Interestingly, this took place on “April Fools’ Day” (April 1st), so it was an additional layer of tomfoolery. Many people must have thought that BAYC was doing an unannounced inverse Fools Day with stealth minting.
Doodles Compromised and Reimbursed
Just as with BAYC, a hacker took over its Discord channel’s bot. Doodles’ official Twitter account put a notice on February 27 to channel members, so they can dismiss all bot announcements.
Predictably, the compromised Discord bot started sending a “surprise mint” event, which naturally leads to a fake minting website, so the hacker can pilfer users’ crypto funds.
Thankfully, Doodles team promised to reimburse the losses from the rogue bot on a legitimate official Discord channel.
Kaiju Kingz Discord Members Lost at Least $70K
Even before the aforementioned attacks, on October 31, 2021, scammers employed an identical strategy. The Official Discord bot for the Kaiju Kingz team released a fake hot sales event of 1000 Kaiju NFTs, directing members to a phishing site.
Kaiju Kingz official Twitter account acknowledged the hack. Interestingly, after stating that more info will come soon, they haven’t made any announcements about it since.
It appears that both a team member’s account and his bot became the scammer’s puppets, who got away with $70k in minting fees, according to @NFTherder. Presently, Kaiju Kingz is ranked 49th, at $91.1 million in sales, with an average floor price of Ξ0.97 ($3k).
Even Without Bots, Discord Channel Can Be Compromised
So far, we have seen a consistent pattern of either hacked accounts, bots, or both. However, in the case of Nyoki Club, it appears that even more convoluted methods can serve as a hacking vehicle. For those who are not familiar with how Discord works, whenever a user logs in, Discord generates an access token.
This token is composed of a unique string of letters and numbers. In essence, a type of password is relayed from the client to the server for verification. Somehow, this access token generation was recorded when the Nyoki founder was on another server.
Some pilfering did take place in the aftermath, but Nyoki Club made sure to refund the victims.
Is Discord Even Worthwhile Using?
Clearly, there are too many holes in Discord’s security infrastructure to count them all. With each new attack, the platform gets another reputational blow, which then negatively affects the NFT community at large.
Obviously, scamming is a full day’s job for some people, their bread and butter, so it is reasonable to expect that Discord developers up their coding game as well. The question is, what can one do for protection in the meantime?
Thankfully, with more exposure, people are noticing a pattern emerging. First of all, if it seems too good to be true, double-check. And if double-checking leads to no official announcements on other social media channels (Facebook, Twitter, Instagram), the verdict is — a scam!
In the end, it is exceedingly unlikely that all social media platforms are hacked simultaneously. Therefore, for your favorite NFT projects, bookmark all of their socials for verification of every single NFT drop and link.
Check out other research!
Get to know more about NFT and tutorials at OmniMint tutorials. For more information on OmniMint, and details on how to join our community, please follow our Twitter, join our Discord, or subscribe to our Telegram channel for more updates and please feel free to submit your article.