July 25, 2022
Discord, the social media platform widely-used by popular Nonfungible token (NFT) projects, has been targeted by hackers over the last three months with increasing frequency. In June 2022, phishing attacks linked to NFT minting scams deployed through compromised Discord accounts increased by 55% in comparison to the previous month.
- Over 100 reports of Discord channel hacks have been filed in the past two months on Chainabuse, a community-led scam reporting platform operated by TRM Labs.
- The NFT community has lost an estimated $22 million since May 2022, according to analysis by TRM Labs.
At least ten account compromises targeting NFT Discord channels occurred on June 4th. Some projects, such as BAYC, were also hacked twice.
Discord hackers leveraging similar methodologies
Analysis of on-chain and off-chain data suggests many of the Discord compromises targeting NFT projects show similar patterns of behavior, with hackers using an array of tactics to scam Discord users, including:
- Using sophisticated social engineering, such as phishing and fraudulent accounts pretending to be an administrator.
- Exploiting bot vulnerabilities, such as the Mee6 bot, which allows admins to automatically give and remove roles and send messages to the community.
- In some instances, the attackers even updated administrator settings to ban Discord moderators from interfering with the hackers’ operations.
Hackers’ messages to users have routinely attempted to tap into the sense of urgency typically associated with NFT minting events, prompting users to act quickly in order to avoid missing out on a free giveaway or limited inventory.
The example below shows how scammers attempt to lure Discord channel members into clicking links urgently, both of which were ultimately reported as malicious.
On-chain data suggests some discord hacks are linked
A review of more than 15 notable Discord compromises targeting NFT servers and analysis of on-chain and off-chain data by TRM investigators suggest that dozens of these recent account compromises are likely related. Some of the linked compromises include well-known NFT Discord project accounts such as BAYC, Bubbleworld, Parallel, Lacoste, Tasties, Anata, and a dozen others.
One of the NFT project exploits that may be linked to other hacks is Yuga Labs, creator of the iconic Bored Ape Yacht Club (BAYC) collection. Yuga Labs’ Discord servers were hacked on June 4th when BorisVagner.ETH, Social Manager at Yuga Labs, had his verified Discord account compromised. While in control of the verified account, the hacker began to post promotional material to the account’s Discord community.
The hackers purposefully targeted users who were already holders of valuable NFTs, advertising a “BAYC, MAYC, and Otherside EXCLUSIVE Giveaway,” and providing a fraudulent link that prompted users to send a minting fee in ETH.
Potential buyers started biting around 8:15 am EST, clicking on the fraudulent link and taking steps to connect their wallets in order to send the required minting fee in ETH. Instead, the ETH went straight to the fraudster’s address, and the transactions compromised victims’ wallets, executing fraudulent transfers of NFTs to the attackers’ wallets.
In these circumstances, when accepting the prompt to connect their wallets, victims are usually unaware that the connection is setting a setApprovalForAll or similar call function to their wallets, enabling the attackers to employ an approval mechanism targeting ERC-721 tokens, also known as NFTs.
After the victims’ wallets were compromised, NFTs from each compromised account were moved into a single wallet tied to the phishing link. In total, from a single exploit, the attackers acquired a diverse portfolio from 18 valuable NFT projects including Bored Ape Yacht Club, Mutant Ape Yacht Club, OthersideMeta, and MekaVerse.
Hackers’ movements of stolen NFTs revealed a wider network
TRM’s internal investigations unit utilized TRM Forensics — an investigative tool — to follow the movement of the stolen Yuga Labs’ NFTs to the scammers wallet and then to an NFT marketplace, where they were sold for ETH. The majority of proceeds from those sales were moved into three different wallets before the actor began moving them into Tornado cash and various other intermediary wallets.
One of the three consolidation wallets, which sent a significant amount of proceeds to Tornado Cash, was also connected to wallets with direct exposure to other Discord compromises that occurred in May and June 2022.
After de-mixing, TRM investigators observed hackers disbursing stolen funds among several Externally-Owned Accounts (EOA), decentralized services, gambling websites, and a darknet market via cross-chain movement, bridging funds from Ethereum to Bitcoin. A significant amount of funds were sent to a wallet hosted at a centralized exchange that is also linked to a number of other Discord account compromises, including the Tasties, KaijuKingz, Bubbleworld, and Parallel Discord hacks.
Number of groups involved remains unknown
While the recent compromises examined by TRM appear to be related, the rate at which these compromises are occurring and spreading across multiple blockchains suggests they could be separate coordinated efforts by different threat actors running these scams at scale. The targeting of multiple blockchains—Ethereum-based projects as well as ones on Solana in recent weeks—indicates many of these Discord account compromises are likely run by a group of hackers or as a Scam-as-a-Service offering, a scheme in which a threat actor provides the tools and services to others to facilitate the running of a scam.
As with traditional scams, once a community of threat actors or Scam-as-a-Service operators understand the basic mechanisms from deception to execution, the community of illicit actors can scale that activity by reusing and iterating on services or practices. This is likely happening here with a variety of threat actors specifically targeting Discord servers and NFT projects.
How individuals can protect themselves against NFT scams on Discord
As NFT projects work to bolster security of their platforms and servers and law enforcement and other groups work to impede attackers’ abilities to carry out future exploits, individuals can and should take steps to protect themselves. Being aware of common attack vectors, including platforms like Discord, and common tactics by threat actors, including phishing attacks that utilize FOMO-inducing language, will help mitigate the risk of becoming of a victim of these scams.
If you have been a victim of a scam or want to check an NFT project or crypto address for reported scams, visit Chainabuse.com.
About TRM Labs
TRM provides blockchain intelligence to help financial institutions, cryptocurrency businesses, and public agencies detect, investigate, and manage crypto-related fraud and financial crime. TRM's risk management platform includes solutions for transaction monitoring and wallet screening, entity risk scoring - including VASP due diligence - and source and destination of funds tracing. These tools enable a rapidly growing cohort of organizations around the world to safely embrace cryptocurrency-related transactions, products, and partnerships.
TRM’s Global Investigations team conducts and supports crypto investigations to combat illicit activity and build trust and confidence in the crypto economy. Our investigators use TRM Forensics to trace NFT provenance, trace the flow of stolen assets and coordinate with relevant law enforcement partners.
Access our coverage of TRON, Solana and 23 other blockchains
Fill out the form to speak with our team about investigative professional services.