The Discords of several prominent NFT projects were hacked last week as part of a phishing scheme to mislead members into handing up their digital jpegs.
In tweets, the Bored Ape Yacht Club, Nyoki, and Shamanz all confirmed Discord hacks. The Discords of NFT projects Doodles and Kaiju Kingz were also attacked, according to screenshots released by independent blockchain investigator Zachxbt. Doodles and Kaiju Kingz both confirmed that they had been hacked on their Discords.
“Oh no, our dogs are mutating,” read one of the phishing posts posted in the BAYC Discord by a compromised bot viewed by Motherboard.
“MAKC can be staked for our $APE token. Holders of MAYC + BAYC will be able to claim exclusive rewards just by simply minting and holding our mutant dogs.”
The hack's purpose was to get users to click a link to "mint" a phoney NFT by submitting ETH and, in some cases, an NFT to wrap into a token.
“STAY SAFE. Do not mint anything from any Discord right now. A webhook in our Discord was briefly compromised,” the official BAYC Twitter account said early Friday morning.
“We caught it immediately but please know: we are not doing any April Fools stealth mints / airdrops etc. Other Discords are also being attacked right now.”
"Along with blue-chip projects like BAYC, and Doodles, our server was also compromised today due to a recent large-scale hack," the Nyoki’s tweet said.
On blockchain explorer Etherscan, two wallet addresses have been linked to the hacks and are now dubbed Fake Phishing5519 and Fake Phishing5520. The 5519 wallet, which sent 19.85 ETH to the 5520 wallets, stole at least one Mutant Ape Yacht Club NFT (a BAYC offshoot by developer Yuga Labs) and soon sold it. Early Friday morning, this second wallet delivered 61 ETH ($211,000) to the mixing service Tornado Cash. The wallet's most recent transaction is a transfer of.6 ETH to an inactive wallet, which subsequently sent the same amount to an extremely active wallet with 1,447 ETH ($5 million), 6 million Tether coins ($6 million), and a variety of other tokens.
This is not the first or last attack on crypto assets on Discord, which, while being a gaming-focused network, serves as a crucial centre for the great majority of projects. Crypto projects already have to deal with hacks that take advantage of smart contract flaws, but the fact that so many of them are also on Discord subjects them to frauds that exploit the power of the platform itself.
Several high-profile accounts have already fallen prey to schemes that hacked bots responsible for channel-wide announcements and pushed websites in order to steal ETH, NFTs, or wallets.