The attack is the latest in a long string of exploits targeting users on Discord with fake “stealth” NFT drops.
Hong Kong-based gaming and venture capital company Animoca Brands and subsidiary Blowfish Studios have promised users that they will repay 265 ETH (US$1.1 million) stolen in a fraudulent nonfungible token (NFT) sale on Discord.
The fraudulent minting event occurred at approximately 3 AM AEDT on Nov 19 on the Phantom Galaxies Discord server. It saw 1,571 fake minting transactions over the course of about three hours.
Phantom Galaxies is an upcoming Australian game being developed by Blowfish Studios. The Phantom Galaxies Discord server has 94,000 members.
In an increasingly common occurrence on Discord, hackers gained control of the official Phantom Galaxies server by using a malware bot that compromised the Admin account’s two-factor authentication. Once in control of the Discord server, the hackers banned all staff, advisor, and community moderator accounts.
The hackers then began posting announcements, claiming that the game was launching an immediate surprise “stealth” NFT minting event. Users were directed to a fraudulent “Phantom Galaxies NFT minting platform,” which charged users a 0.1 ETH “minting fee.”
Chairman of Animoca Brands Yat Siu warned followers about the fraudulent NFT drop in a tweet at around 4AM AEDT Nov. 19.
At 5:22AM he posted another tweet, saying that affected customers will be “appropriately compensated.” This has since been confirmed in a Nov. 24 release from Animoca, which stated that details regarding compensation will be announced shortly.
“Woodz,” a Californian project manager for an upcoming NFT project called Terra Obscura lost $1000 USD to this attack. They said they realized they’d been scammed shortly after ‘minting’ two non-existent NFTs:
“As I was doing it, it seemed a bit off. The gas was unusually low and the contract looked different. I knew something was wrong but not sure what.”
Woodz added they “don’t normally just click links,” but fell into the hacker’s trap because of the way the announcement was positioned inside the official announcement channel.
The attack on Phantom Galaxies comes after a similar recent attack on Nov. 11 involving famed NFT artist, Beeple. Users thought they were signing up for a very affordable NFT drop, timed to coincide with his second Christie’s auction.
The perpetrator impersonated one of the channel admins and the Beeple Announcements Bot to promote a fake NFT drop from Beeple on Nifty Gateway. Beeple has since removed links to the Discord from his Twitter profile, and other links to the server no longer appear not to work.
According to an Oct. 21 report by cyber security company RiskIQ, Discord is becoming an increasingly popular platform for cybercriminals. RiskIQ researchers uncovered 27 unique malware types hosted on Discord’s CDN servers.
In April, Talos Intelligence similarly found that hackers were increasingly using platforms like Discord to take advantage of users who were at home due to global COVID-19 restrictions.
“Attackers are leveraging collaboration platforms, such as Discord and Slack, to stay under the radar and evade organizational defenses,” it wrote at the time.