August 31, 2021
Part 1 of a Mini Security Series with TRM
The Aurory Project held its first NFT mint yesterday with over 55,000 customers waiting in line. According to the Aurory team, all 10,000 NFTs were minted in less than 3 seconds. What we learned yesterday in real time is the FOMO for NFT mints is real. A choice is sometimes made between minimal security standards or a locked down wallet that might delay chances to purchase an NFT. Today, we saw first hand a multitude of victims come forward on social media that had their SOL, literally swept from their wallets. TRM is actively tracing the attackers' flows on SOL and ETH. We will provide leads to law enforcement and industry partners as they become available.
So what happened?
A Twitter user, and developer working on a Solana project, @hoaktrades posted a long thread almost immediately after the Aurory NFT mint was complete. Hoaktrades identified a phishing website that went live right before the true Aurory NFT mint. This was not an attack where an NFT went live and users were incorrectly advised by a scammer to send SOL to a specific address. This was something different entirely. When the NFT buyers clicked "connect" on the phishing website, a malicious link executed a sweep of all buyers' funds within the wallet. This may also be the first known sweep attack targeting the Solana ecosystem.
In this type of attack, the malicious contract is designed specifically to drain all of the funds from a victim's wallet unlike a more typical phishing attack in which a victim sends a certain amount of funds to a scammer's address. Unwitting NFT buyers, excited to get in on a drop, were perfect targets for this sort of attack.
What can you do to protect your NFT investment?
- Create a new burner wallet with only the estimated amount required for NFTs purchase + fees.
- Refrain from keeping your investment portfolio in the same wallet you plan to purchase an NFT from.
- Remove auto-approve on your wallet and consider implementing the auto-lock timer.
- After the NFT purchase, revoke access to all trusted apps.
- Consider utilizing a hardware key for enhanced security.
- Do not search google or other websites for the NFT drop link.
- Only use verified accounts or domains provided directly from the NFT company.
- Do not click any links in Discord chats or download any files that claim affiliation with the NFT drop team.
- Never side channel in a separate Discord server or encrypted chat app at the request of someone claiming to be customer support or responding to social media threads.
- Never show your secret recovery phrase to anyone offering to provide assistance.
This is the first edition of a two part Mini Security Series from TRM on Best Practices to Secure Your Crypto. The next series will include best practices from TRM's Blockchain Intelligence Team composed of investigators sourced from leading cryptocurrency exchanges and federal/international law enforcement.
With TRM's multi-asset coverage across Solana and Ethereum, our clients can trace the flow of attacker funds in one central location as swaps are executed. TRM has notified our clients of the attack and how it may impact their networks. For further information on how these updates may affect your platform as a TRM partner, or for more information about TRM, please contact us directly via firstname.lastname@example.org.
Access our coverage of TRON, Solana and 23 other blockchains
Fill out the form to speak with our team about investigative professional services.