On Two NFT projects were attacked on Tuesday, December 21st. Both Monkey Kingdom’s NFT collection and Fractal’s in-game asset store rely heavily on Discord to communicate with their communities. Several days after Monkey Kingdom’s NFT presale on the 21st and Fractal’s token airdrop a few days later, both projects began distributing awards to their community members.
Then, a terrible accident occurred. Posts on the official “announcements” channel of each project claimed that a limited-edition NFT would be awarded to community members. If you followed the links and linked your cryptocurrency wallet, you were in for a pricey surprise. Solana cryptocurrency, which both projects used to make purchases, was being syphoned from wallets instead of an NFT.
Monkey Kingdom and Fractal posted on Twitter that their Discord servers had been hacked within an hour of one other; the news of NFT mints was a hoax and the links were phishing scams. Scammers made off with roughly $150,000 in cryptocurrencies when it came to Fractal. The expected total for Monkey Kingdom was $1.3 million.
Discord Hacking BlockChain
Neither the blockchain nor the tokens were attacked. As a result, the criminals exploited holes in the infrastructure used to sell tokens—specifically, the Discord chatrooms where NFT supporters convene. As a warning of a continuing weakness in the rapidly expanding NFT sector, sudden reductions have prompted purchasers to act quickly or risk missing out. A single hack can spread to multiple communities at the same time, thus it’s important to be aware of the dangers associated with these approaches.
A feature known as a webhook was the target of the NFTs thieves in this scenario. When a message is sent to a certain URL, a webhook can be used by many web applications (Discord included) to listen for the message and then perform an action, such as posting material to a specific channel. For the purposes of connecting to another application, you might think of a webhook as being analogous to a secret phone number. It’s a unique identifier that can be phoned (or, perhaps more accurately, “texted”).
By getting access to webhooks belonging to the Fractal and Monkey Kingdom Discord servers, the hackers were able to send messages that were broadcast to all members of specified channels: a function meant to be utilised only for official communications from the project teams. This was where the bogus “announcement” had come from and why it had pointed to a fraudulent URL. In hindsight, the content should have triggered some red signals — but given the distribution technique, it appeared just authentic enough that many were duped.
Discord webhooks are used to automate messages depending on activity in other applications: for example, the official documentation covers developing a bot that notifies a channel of new GitHub changes. But it’s easy to lose track of those bots amid the many third-party service integrations, and crucially, there’s no way to switch off all of them at once if you’ve been hacked. The outcome is a big opportunity for attackers and a liability for any Discord groups that aren’t paying attention to their integrations.
Newest Threat For NFT Buyers
A Discord spokeswoman said the firm urged customers to be vigilant when granting others access to their devices and personal information and linked to instructions made accessible through its Moderator Academy resource centre.
“Discord takes the safety of all users and communities very seriously, including social engineering assaults like these,” stated Peter Day, senior manager of corporate relations at Discord. “While there are clear protections in place, we are continually working to make it harder for these assaults to happen and will continue to invest in education and tools to help protect our users.”