Some NFT buyers fell last Tuesday (22) in a scam by Discord and had a total of US$ 150 thousand (around R$ 850 thousand) stolen. The scammers invaded the official server of the Fractal platform — a marketplace for non-fungible game item tokens — and used the channel’s bot to send a link that allowed them to steal users’ cryptocurrencies.
By clicking on the link sent by the bot from the server, buyers entered a page where they connected their digital wallets. However, instead of receiving the NFTs, users had their Solana cryptocurrencies stolen. According to Tim Cotten, founder of Scrypted Inc—another NFT gaming project company—the scammers took the equivalent of $150,000 in Solanas.
In reports on social media, users said they had no way of suspecting the link, as it had been sent by the official Fractal server bot. The creator of the platform, Justin Kan, reported on Twitter that the Discord channel with more than 100 thousand people had been invaded by hackers and asked people not to click on other messages.
How the Discord Server Scam Happened
The scammers took advantage to trick users who were waiting to buy NFTs at the time of the “mint” — a term used to refer to the first transaction of a token shortly after its creation. After going through the mint, NFTs can be traded between people through third-party platforms.
Another factor that facilitated the coup was a tweet posted by Fractal’s official account. A few hours before the hackers’ action, the profile had announced an “airdrop” for that day. In other words, the platform would distribute some tokens for free to selected users. Because it was such a tempting offer, many people ran away thinking the fraudulent link was real.
After the attack, Fractal’s account explained that the hack was done via a webhook. In short, these webhooks are capable of connecting two ends between different systems. Thus, it is possible to control an application like Discord remotely and automatically.
To carry out the attack, the scammers used a webhook that was unprotected. Without decent protection, anyone can change the Discord server bot if they use the right URL.
Fractal will compensate users affected by the blow
In a Medium post, Fractal said it had reached out to Discord’s security team to audit the server’s security. In the same text, the company urged users to be more careful when dealing with blockchain.
“If something doesn’t feel right in crypto, please don’t proceed, even if at first glance it looks legit. We should use our common sense as there is no undo button in encryption,” commented Fractal.
The platform also took the opportunity to apologize and promised to compensate all users who had their cryptocurrencies stolen in the scam.
With information: The Verge.