Two NFT projects were attacked on Tuesday, December 21st. The NFT collection Monkey Kingdom and the in-game asset marketplace Fractal both engaged with their communities through the Discord chat server. The Monkey Kingdom project was going to give out rewards on the 21st and the Fractal project was going to give out rewards a few days later.
Disaster struck. Posts appeared in the official announcements channel of each project claiming that a surprise mint would reward community members with a limited edition NFT. For those who followed the links and connected their wallet, a costly surprise was waiting. Rather than receiving an NFT, both projects used the Solana currency to make purchases.
In the space of an hour, Monkey Kingdom and Fractal posted on their websites that their Discord server had been hacked and that the news of the NFT mints was fake. The scam artists got away with about $150,000 worth of currency. The estimated total for Monkey Kingdom was over a million dollars.
The same techniques that hype up a sale can also be used to hack.
The token itself was not targeted in the attack. The thieves exploited weaknesses in the infrastructure used to sell the token, specifically in the chat rooms where NFT fans gather. It is a reminder of the weakness in the NFT economy, where surprise drops have primed buyers to move fast or miss out. The same techniques that hype up a sale can also open the door to hackers, and in this case, a single compromise can end up spreading to more than one community at once.
The feature known as a webhook was targeted by the NFTs thieves. Webhooks are used by many web applications to listen for a message sent to a particular URL and then post it to a certain channel. A webhook is a unique phone number that can be called to connect to an application on the other end.
The hackers were able to broadcast messages to all members of certain channels, which was meant to be only used for official communications from the project teams. This was where the fake announcement came from and where it pointed to a scam address. The content should have raised some red flags, but given the distribution method, it looked legit to many.
We will continue to invest in education and tools to help protect our users, and we are always working to make it harder for these attacks to happen.
For example, the official documentation describes making a bot that notifies a channel of new commits using a Discord webhook. There is no way to switch off all of them at the same time if you have been hacked. The result is a major opportunity for attackers and a liability for any Discord communities who aren't paying attention.
The company warned people to be careful when giving other people access to their devices and personal information, and pointed to guidance available through its Moderator Academy resource center.
Peter Day, senior manager of corporate communications at Discord, said that the company takes the safety of all users and communities very seriously. While there are clear controls in place, we are always working to make it harder for these attacks to happen and will continue to invest in education and tools to help protect our users.
This is one of those things that really hurts you, both in terms of pride and professionalism.
The origin of the hack is believed to be a service called Grape Network, which provides community management tools to hundreds of other projects that use Discord. An employee of Grape Network going by the screen name Arximedis was caught up in a scam on another server, this one belonging to Solana, roughly a week before the theft.
The hackers obtained an account access token that allowed them to perform actions on behalf of the Grape administrator, after manipulating a Solana moderator and Arximedis himself through a phish attack. They were able to create an avenue for them to send messages to the Monkey Kingdom channels. The hackers waited for a time to strike and kept quiet.
The first hack was used to create webhooks that were used in the second hack, according to Dean Pappas. One of the things that hurts you the most is pride and professionalism. It is a very difficult situation.
The Monkey Kingdom project's head, who asked to be referred to as the Monkey King, said that additional security measures had been put in place to ensure the safety of users. The Monkey King said that the money raised by the project would be used to refunds victims of the scam.
NFT projects are vulnerable to this kind of attack because they move so quickly. Early Adopters are conditioned to act fast when projects sell out quickly. Early intel on presales and airdrops is released first on Discord, the go-to platform for NFT communities. Community members are primed to jump on any announcements that give them an edge, which in turn lets scam artists use fake messages to devastating effect.
Community members are ready to jump on any announcements that give them an edge.
Making a successful transaction in the most heated drops can be difficult for the early risers. A popular project used up non-refundable transaction fees in the first hour after launch, as more than 26,000 unsuccessful mint transactions occurred. More than $4 million was spent on gas fees for unsuccessful transactions.
There will be a lot of new projects looking to scale by using off-the-shelf solutions in the future, because there is no indication yet that the NFT craze will slow. There are signs that the NFT community's social pulse is also a source of income for unscrupulous individuals who want to separate marks from their hard-earned coins.
There may be sunnier days ahead for the two projects that were affected by this hack. The game asset marketplace went live on the last day of the year. Monkey Kingdom reimbursed money that was lost by members, and they are restarting the NFT line. The Monkey King told us that the community is loyal and fans are ready to pick up a deal.
