Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Discord Hack. Show all posts

School Kids are Stealing NFTs Worth Millions of Dollars to Purchase Roblox Skins

 

Being wary of journalists can be a good thing at times. Take the case of Orbiter Finance. A claimed journalist from a crypto news website contacted one of its Discord moderators last month and requested that they complete out a form. The moderator had no idea that this uncomplicated action would give someone else control of their Discord server.

Once inside, the offender froze other admins' access to the system and restricted community members' ability to submit messages. Everyone who clicked on the phoney airdrop announcement was taken to a phishing website intended to steal their NFTs. The plan was successful. They quickly took NFTs and tokens worth $1,000,000 while the squad was only onlookers.

"We were so concerned," Gwen, a business development manager at Orbiter Finance, said in an interview. "If we cause any damage to [our community members], we will just lose their trust."

The Orbiter attack is only one of many recent examples involving NFT drainers and compromised Discord servers or Twitter accounts. Data obtained by NFT researcher and security specialist OKHotshot shows that at least 900 Discord servers have been infiltrated for phishing attempts since December 2021, with a noticeable uptick in the previous three months.

According to statistics obtained by PeckShield and several dashboards on Dune Analytics by Scam Sniffer and others, such assaults have hit at least 32,000 victim wallets over the last nine months. Attackers have stolen NFTs and tokens worth a total of $73 million.

Culprits behind the attacks 

These methods frequently involve wheeling and dealing in a growing drainer code black market. The masterminds behind the phishing assaults first go to Telegram and Discord, where they can identify channels hosted by the creators of various drainers. 

They contact the developer and acquire the drainer, which is a set of code that can be installed into websites, while often agreeing to give the developer 20-30% of the proceeds. Then, using their own tactics, such as the fake news site stated above, they will hijack a Discord server or Twitter account and advertise a false website containing the NFT drainer code in order to steal NFTs and whatever else they can get their hands on. 

That is, when they are not preoccupied with homework. 

"95% of them are kids below the age of 18 who are still in high school," said Plum, a pseudonymous security researcher who works on the trust and safety team at NFT marketplace OpenSea, adding that the frequency of attacks tends to spike around the Summer holidays. 

“I personally have talked to quite a few of them and know they’re still in school,” stated Plum. “I’ve seen pictures and videos of various of them from their schools. They talk about their teachers, how they’re failing their classes or how they need to do homework.” 

These kids appear to make little effort to conceal their newfound wealth. “They'll buy a laptop, some phones, shoes and spend vast amounts of money on Roblox. They all play Roblox for the most part. So they'll buy the coolest gear for their Roblox avatar, video games, skins and things like that,” Plum added. 

Plum went on to say that they frequently buy gift cards with cryptocurrency on the gift card marketplace Bitrefill, spend thousands of dollars on Uber Eats, buy luxury clothes, pay individuals to do their homework for them, and even buy automobiles they can't drive yet. They also enjoy gambling. 

The exploiters try to hide their tracks by paying people in lower-income countries to use their personal information to register on exchanges, obscuring the trail when they cash out, according to Plum. They claim that if law enforcement had been interested in arresting them, at least some of them should have been apprehended by now because they leave adequate evidence of their actions.

Plum mused on why offenders believe they can get away with such crimes, saying that "they feel invincible, they have God mode — that no-one can touch them." 

While countries such as North Korea are also involved in phishing operations against NFTs, Plum claims that they normally employ their own drainers and are less connected with drainers for sale. The NFT drainers' creators, who in some cases carry out assaults using their own technology, are a little more elusive, but their pseudonymous profiles leave a unique trail. 

The growing problem of NFT drainers

Monkey, one of the first NFT drainers, launched their Telegram channel in August. But it wasn't until October that it really got going. According to PeckShield, their technology was utilised to steal 2,200 NFTs worth $9.3 million and an additional $7 million in tokens over the next few months. 

Monkey chose to retire on February 28th. Its creator stated in a parting message that "all young cyber criminals should not lose themselves in the pursuit of easy money." They advised its customers to use Venom, a competitor drainer. 

Venom was a worthy opponent. It was another of the first drainers, and it was used to steal over 2,000 NFTs from over 15,000 victims throughout time. Customers of the drainer employed 530 phishing sites to perform attacks on crypto projects such as Arbitrum, Circle, and Blur, netting a total of $29 million in NFTs, ether, and different currencies.

While Venom was one of the first NFT drainers to go multichain, security experts say they failed miserably. However, their drainer was the first to be used to steal NFTs from the NFT marketplace Blur. 

Inferno, which was used to steal $9.5 million from 11,000 victims, and Pussy, which was used to steal $14 million from 3,000 victims, were two other rivals. Customers of Angel, which began on a Russian hacking forum, used it to steal $1 million from over 500 victims in the form of NFTs and various tokens, most notably compromising the Twitter account of crypto wallet Zerion. 

However, the drainers' operation stays the same, with a few tweaks here and there. Plum believes that the solution rests in safety-oriented wallet extensions, which are successful in protecting wallets. It is also prudent to use and preserve multiple wallets in cold wallets.

Alert! Teen Hackers are Using Discord to Disseminate Malware

 

Avast security researchers found a Discord channel where a group of teenagers is developing, updating, promoting, and selling malware and ransomware outbreaks, allegedly to make pocket money. 

The researchers assume they are all minors since they referenced their parents and instructors frequently and casually used age-specific slurs. Researchers discovered their actions via their Discord chat. The hackers sell malware variants of Snatch, Lunar, and Rift and provide a variety of services ranging from data theft to ransomware and crypto mining. 

However, researchers discovered that teen hackers mostly give easy-to-use malware builders and toolkits, allowing users to utilise them without real programming by using the "Do it yourself" (DIY) technique. 

How does the Group function? 

To become a group member or utilise the malware-as-a-service capability, interested parties must pay a charge. The registration price ranges from €5 to €25. Avast researchers observed in their analysis that about 100 accounts have already enrolled to get access to a hacking group. The malware dissemination method is a little unusual. 

The hackers posted a YouTube video displaying a bogus crack for a popular computer game or commercial software, along with a download link in the description. To establish credibility, additional users of the Discord group leave comments on the video, thanking the originator and confirming that the connection works. This method is even more twisted than bots for commenting since it becomes hard to recognise. 

How Should One Handle Teen Hackers? 

This scenario is undoubtedly troubling. As a result, hacking ability among teenagers and minors must be channelled towards beneficial, ethical endeavours for the general benefit of the cybersecurity sector. 

Parents must communicate to their children to understand the motivational elements that drive them to distribute malware. There are several tools accessible on Discord and other platforms to assist anyone interested in pursuing a career in the cybersecurity field. 

The first step, though, is for parents to interact with their children without passing judgement. It is worth emphasising that the organisation distributes unlawful malware without comprehending the gravity of the situation and dismissing it as a prank.

Scammers Use Babadeda Crypter to Target Crypto, NFT, AND Defi Communities

 

Morphisec Lab researchers have uncovered a new malware campaign using a crypter, dubbed Babadeda, to target the crypto, NFT, and Defi communities. 

The cyberattack with potential links to Russian actors, employs fake OpenSea, Bored Ape Yacht Club, and ZED RUN marketplace domains to target the cryptocurrency and NFT communities on group chat platform Discord.

Over the past years, many providers have reported variants of this crypter but Morphisec is the first to reveal how it is targeting the NFT community specifically. Due to the market value of more than $2.5 trillion, the cryptocurrency market is on the hit list of the attackers. 

According to Morphisec researchers, the malware can evade signature-based antivirus solutions with RAT payloads which allow attackers to secure administrative control over a target’s computer.

“Babadeda is a highly dangerous crypter. Targeting cryptocurrency users through trusted attack vectors gives its distributors a fast-growing selection of potential victims,” stated Hido Cohen and Arnold Osipov, security researchers at Morphisec. “Once on a victim’s machine, masquerading as a known application with a complex obfuscation also means that anyone relying on signature-based malware effectively has no way of knowing Babadeda is on their machine – or of stopping it from executing.”

Attackers Methodology

Threat actor designs a Discord bot account on the official company Discord platform which allows them to impersonate the channel’s official account. Then, the hacker sends users a private message on Discord, inviting them to download a related application. In return, threat actors grant users access to new features and benefits which will redirect them to a decoy site. Then, it will download a malicious installer that embeds the Crypter with the RAT payload.

“Upon clicking ‘Download APP,’ the site will generally navigate to /downland.php, which will redirect the download request to a different domain (this makes it less likely that someone will detect a decoy site),” the researchers explained. “Interestingly, on one of these decoy sites, we noticed an HTML object written in Russian. This suggests that the threat actor’s origins may be in a Russian-speaking country since they most likely forgot to translate the HTML object from their native language into English.”

To bypass detection, the attackers tried to mask their malicious intentions by employing legitimate-looking applications. The domain names and user interface of the decoy sites were similar to the original, and the decoy sites also had a signed certificate, enabling an HTTPS connection. The researchers have spotted 82 domains designed between July 24, 2021, and November 17, 2021, used in this malicious campaign.

Unfortunately, scammers are not just targeting individual users but are also going after reputed organizations. Earlier this month, OpenSea’s security was examined after a white hat hacker discovered a critical bug. The vulnerability could have allowed hackers to design fake blue-chip NFTs and frenzy, resulting in the drainage of hundreds of millions.