Another hacking attack method has recently been highlighted with the disclosure that 2 NFT projects were compromised using the same approach. Namely the hackers used webhooks to gain entry to Discord. Monkey King NFT collection and Fractal an in-game marketplace were the victims.
The hack occurred on the 21st of December as both projects were preparing to give out rewards to their early supporters. Monkey Kingdom was to begin a presale and Fractal were rewarding their supporters with an airdrop in the coming days.
These are normal practices used by NFT projects to drum up support and excitement for their projects.
What happened?
To begin, everything seemed normal as the projects prepared for the drops. However, messages began to show up on their Discord groups on the ‘Official Announcement’ boards. They claimed that there was to be a previously unannounced mint that would reward community members.
This being the crypto world everybody is primed to move fast, as many projects can sell out in minutes. So, hundreds of community members, from both projects, seeing the “official announcement” jumped at the chance.
They were told to follow a link and input their address to receive their NFT. But instead of receiving the said NFT, they had their Solana siphoned from their wallets.
Soon after, both Monkey Kingdom and Fractal, announced via twitter that their Discord groups had been hacked.
According to The Verge, the hack cost Fractal crypto worth $150,000, while it was reported that Monkey Kingdom were hacked for $1.5 million.
How were the NFT projects hacked?
The hack didn’t target the blockchains that the projects are on. Rather, they infiltrated weaknesses on the project’s Discord server, in which, community members gather. They used the old ‘FOMO on a drop’ that is part and parcel of the NFT economy.
In other words, one of the prime hooks to garner sales for almost all NFT projects, has been used against them.
The hackers gained excess to the Discord groups through webhooks. Once they had hacked the channel they were able to send messages to the entire group vis the ‘official announcement’ channel.
The initial hack has been linked back to a phishing attack on a member of staff from Grape Network, a company that provides community management tools to many NFT projects.
Dean Pappas, founder of the firm, confirmed to The Verge that the hack targeted a member of his staff, “This is one of those things that really hurts you, both in terms of pride and professionalism,” Pappas said. “It’s a very difficult situation.”
How did NFT projects react to the hack
Monkey Kingdom has announced that additional security has been added and that the project has raised money to refund the victims of the hack.
Fractal has went live since the hack (with added security), and reimbursed all of those affected by the hack.
Afterthought
Not everyone out there has good intentions their are many people ready to take your money away from you. Always do due diligence and best of luck out there.
