Recently launched nonfungible token (NFT project), “Rare Bears,” was hit with an attack, after a hacker posted a phishing link in the project’s Discord channel, stealing nearly $800,000 in NFTs.
Analysis from blockchain security firm Peckshield detailed that the attacker was able to steal 179 NFTs including “Rare Bears” and other NFTs from various collections including “CloneX,” “Azuki,” a “mfer” from artist sartoshi, and six LAND tokens used for The Sandbox metaverse.
According to on-chain analysis, most of the NFTs were sold, netting the hacker 286 Ether (ETH), worth over $795,500, most of which was promptly put through Tornado Cash, a crypto mixer used to obfuscate the source of funds.
A slate of similar phishing scams has occurred in recent months on Discord, suggesting some teams need to more carefully consider the security of admin accounts. The “Rare Bears”, team announced that they had appointed Pandez, a security consultant and auditor for a complete security audit of Discord.
How the attack happened
According to an update posted by the “Rare Bears” team, the hacker gained access to the account of a Rare Bears Discord moderator known as Zhodan, posting an announcement within the group’s channel that a new mint of NFTs was taking place.
It wasn’t real, it was a phishing link to steal funds from an ‘users wallet.
Discord has unfortunately been compromised. Do not click on any links. Please connect your wallet to our discord and stop all incoming DMs. Our team are working on the situation as we speak
— Rare Bears (@BearsRare) March 17, 2022
The security audit updated to reveal that the Discord account of the head of the project was compromised. The attacker used the compromised account to ban other members and remove their roles from the server. This removed their ability delete the phishing link.
The attacker then created a bot to lock all channels on the server. This removed the possibility for others to communicate publicly that the links and posts were fake.
“Rare Bears” stated that they were able to take back control of the server and remove the compromised account. They also transferred ownership to a new server.
Speaking to Cointelegraph, security consultant Pandez said that users should look out for a few key signs that could mean a message is a scam.
“Almost no serious project will ever do a stealth mint,” Pandez said. “Never click any links which appear like this.”
Pandez said other red flags are if channels are locked during a “drop” of a new NFT collection, if the link differs from those shared on Twitter or other official sources for the project, and if the link is continuously posted in the channel.
Past attacks similar to this have occurred on Discord. In December, Solana NFT project “Monkey Kingdom” announced that hackers made off with $1.3 million of the community’s crypto funds after a security breach. The hackers also provided a phishing link to users’ wallets.
Last November, members of the Discord of popular NFT artist Beeple were also scammed, with attackers gaining access to a moderator’s account to post a phishing link, similarly draining user funds.