Inferno Drainer says it’s shutting down after helping steal $70M in crypto

November 27, 2023 Coin Telegraph

Inferno Drainer says it’s shutting down after helping steal M in crypto

“We hope you can remember us as the best drainer that has ever existed,” wrote the scam-as-a-service wallet drainer.

Inferno Drainer, one of the most popular crypto wallet-draining kits for hire says it is shutting down for good after helping phishing scammers steal nearly $70 million worth of crypto this year.

In a Nov. 26 Telegram post, the team behind Inferno Drainer said it was “time for us to move on.” However, it said that the files and infrastructure needed to run the wallet drainer won’t be destroyed but instead will remain active so users can make a “smooth transition” to other services.

“It has been a long ride with all of you and we’d like to thank you from heart [sic]. Unfortunately, nothing lasts forever.”

“A big thank [sic] to everyone who has worked with us,” it added. “We hope you can remember us as the best drainer that has ever existed and that we succeeded in helping you in the quest of making money.”

*Inferno Drainer’s final message to its users. Source: Telegram*

Inferno Drainer gained prominence early this year and saw increased use after the popular Monkey Drainer tool shut down. Like its peers, Inferno offered its crypto wallet-draining software and took a 20% cut of what users stole.

Since February, Inferno Drainer has stolen nearly $70 million from over 100,000 victims, according to analytics from Web3 anti-scam platform Scam Sniffer. However, the Inferno Drainer team suggested the amount stolen was over $80 million.

The Inferno Drainer team has deleted the affiliate Telegram account “mr_inferno_drainer” used for arranging its service and warned its users not to trust other drainers using its name in the future.

Blockchain security firm CertiK told Cointelegraph that Inferno Drainer was “one of the most damaging phishing kits to the community we’ve seen.”

It added there are still “plenty of providers out there” who are active, including rival Pink Drainer and Angel Drainer, the latter of which released an update on Nov. 25 to help users drain wallets on more blockchains.

Monkey Drainer, another high-profile crypto drainer that stole millions, shut down in March, saying it was “time to move on to something better.”

Magazine: Tornado Cash 2.0 — The race to build safe and legal coin mixers

Friend.tech users blame SIM swaps after more than 100 ETH drained in a week

October 4, 2023 Coin Telegraph

attack

In a short period of time, four friend.tech users reported their accounts were compromised and drained after hackers seized control of their mobile numbers.

Friend.tech users are warning of possible SIM-swap attacks after a recent spate of supposed hacks resulting in nearly 109 Ether (ETH) worth around $178,000 being drained from four users in under a week.

On Sept. 30, the X (formerly Twitter) user known as “froggie.eth” warned their Friend.tech account was SIM-swapped — where exploiters gain control of a user’s mobile number to intercept two-factor authentication codes, then used to access accounts — and subsequently drained of over 20 ETH.

Days later, on Oct. 3, a string of Friend.tech users reported similar incidents, with musician Daren Broxmeyer saying he was SIM-swapped and drained of 22 ETH.

His phone was earlier “spammed with phone calls,” which he believed was to force him to miss a text from his service provider warning him that someone was trying to access his account.

I was just SIM swapped and robbed of 22 ETH via @friendtech

The 34 of my own keys that I owned were sold, rugging anyone who held my key, all the other keys I owned were sold, and the rest of the ETH in my wallet was drained.

If your Twitter account is doxxed to your real… pic.twitter.com/5wA86mjYEG
— daren (friend, friend) (@darengb) October 3, 2023

The same day another user, “dipper,” also said their account was compromised, adding they have “no idea” how exploiters could hack their account, as they use strong passwords.

The fourth user, “digging4doge,” was drained of around 60 ETH after falling for a phishing scam that tricked them into sharing a login code.

Friendtech user @digging4doge just got drained to the tune of ~60 eth worth of keys.

About an hour ago, he received a text informing him that a number change had been requested for his account.

He had two hours to respond or the request would be auto approved. This was, of… pic.twitter.com/L21Hr041kP
— quit (,) (@0xQuit) October 4, 2023

Crypto investment firm Manifold Trading explained that any hacker gaining access to a Friend.tech account is then able to “rug the whole account.”

Assuming that a third of Friend.tech accounts are connected to phone numbers, around $20 million is at risk of being exploited through Friend.tech user-focused exploits, they said.

Manifold also suggested that, technically, all of Friend.tech is at risk due to how the platform’s security is set up, and solving the issues “should honestly be the number 1 priority.”

If any hacker gains access to a FriendTech account via simswap/email hack, they can rug the whole account

If you assume 1/3 of FriendTech accounts are connected to phone numbers, that's $20M at risk from sim-swaps

FriendTech's current setup also technically allows a rogue dev… https://t.co/XgodMNSh2l
— Manifold (@ManifoldTrading) October 2, 2023

Manifold suggested Friend.tech allow users to add 2FA to logins, key decryptions and transactions.

Users should also be given the option to change the login method from a number to email and allow for third-party wallets to be used.

High-profile crypto figures have previously been successfully SIM-swapped, with their accounts used to carry out phishing attacks, such as Ethereum co-founder Vitalik Buterin’s X account in September.

Cointelegraph contacted Friend.tech for comment but did not immediately receive a response.

Magazine: Blockchain detectives — Mt. Gox collapse saw birth of Chainalysis

Notorious Monkey Drainer crypto scammer says they’re ‘shutting down’

March 2, 2023 Coin Telegraph

certik

The scammer behind the crypto wallet draining kit even recommended an alternative and gave advice to budding cybercriminals.

The cryptocurrency phishing scammer behind some of the most high-profile and high-value Web3 thefts is claiming to have packed up shop and is “moving on to something better.”

The scammer by the pseudonym Monkey Drainer posted to their Telegram channel on Mar. 1 that they “will be shutting down immediately” and all “files, servers and devices” related to the drainer “will be destroyed immediately” and it “will not return.”

*Monkey Drainer’s full message posted to Telegram recommending an alternative service. Source: Telegram*

The scammer even gave advice to budding “young cyber criminals” saying they shouldn’t “lose themselves in the pursuit of easy money” and only those “with the highest level of dedication” should operate a “large scale cybercrime” outfit.

Monkey Drainer even recommended a “flawless” alternative service to the one they once offered named “Venom Drainer” and pointed to a Telegram account for the service that was created only a day before Monkey’s announcement.

Blockchain security firm PeckShield tweeted on Mar. 1 that Monkey Drainer scammer deposited around 200 Ether (ETH) worth $330,000 within the last day into the crypto mixing service Tornado Cash, attempting to obscure their funds. 840 ETH worth $1.4 million was still in their primary wallet.

#PeckShieldAlert Scammer #MonkeyDrainer, who runs theft schemes for multiple clients (a sort of 'scam-as-a-service') announced to shut down their service
~200 $ETH has been transferred to Tornado Cash within the last 24 hours, while ~840 $ETH (~$1.4M) sits in their main address pic.twitter.com/1lg3KLRxhk
— PeckShieldAlert (@PeckShieldAlert) March 1, 2023

Blockchain security firm CertiK also shared Monkey’s message on a Mar. 1 tweet, saying the crypto wallet-draining kit they offered is understood to take a 30% “commission” of funds stolen funds from others' use of the software.

Wallet-draining kits from other providers have copied the model, and CertiK pointed to other vendors already reporting an uptick in requests since Monkey Drainer announced the shutdown.

3/ Wallet drainer vendors have noted the payment structure Monkey introduced and have since copied

Below are a few examples that we’ve seen: pic.twitter.com/i62aU5t2pv
— CertiK Alert (@CertiKAlert) February 28, 2023

Monkey Drainer is understood to have operated since late 2022 and is estimated to have stolen up to $13 million worth of cryptocurrencies and nonfungible tokens (NFTs) since that time.

Other copycat phishing scammers and wallet-draining kits have stolen much more. A report from Web3 bug bounty platform Immunefi revealed $3.9 billion worth of crypto was lost to hacks, frauds, scams and rug pulls in 2022.

Possibly one of the single most high-profile and high-value theft by a wallet drainer in recent times was the January attack on Kevin Rose, the co-founder of the Moonbirds NFT collection.

Rose’s wallet was drained after he approved a malicious signature on a phishing website that transferred over $1.1 million worth of his personal NFTs to the attacker.

Monkey Drainer-linked scammers possibly exposed after an on-chain quarrel

January 30, 2023 Coin Telegraph

blockchain messaging

The scammer referred to their pseudonym during a blockchain message argument which may have revealed their actual identity, according to CertiK.

Blockchain security firm CertiK believes to have found the real identity of at least one scammer allegedly linked tothe “Monkey Drainer” phishing scam.

Monkey Drainer is the pseudonym for a phishing scammer(s) that uses smart contracts to steal NFTs through a process known as "ice phishing."

The individual or persons behind the phishing scam have stolen millions worth of Ether (ETH) via malicious copycat nonfungible token (NFT) minting websites to date.

In a Jan. 27 blog, CertiK said it found on-chain messages between two scammers involved in a recent $4.3 million Porsche NFT phishing scam and was able to link one of them to a Telegram account involved in selling the Monkey Drainer-style phishing kit.

Exposing Scammers

CertiK investigators uncovered two scammers, Zentoh and Kai, behind the Monkey Drainer kit

This kit is sold to prospective scammers who are looking to steal user funds using Ice Phishing

Who was involved and how? Let's see
— CertiK (@CertiK) January 28, 2023

One message revealed a person referring to themself as “Zentoh” and referred to the person who stole the funds as “Kai.”

Zentoh was seemingly upset at Kai for not sending over a slice of the stolen funds. The message from Zentoh directs Kai to deposit the ill-gotten gains “at our address.”

*An on-chain message from a person referring to themselves as “Zentoh,” upset they didn’t receive a portion of phished funds from a person they address as “Kai.” Image:* *CertiK*

CertiK deduced the joint wallet was the address that received the $4.3 million in stolen crypto. The firm added there is a “direct link” between the joint wallet and “some of the most prominent Monkey Drainer scammer wallets.”

*The wallet address tied to Zentoh is in turn tied to numerous addresses linked to the Monkey Drainer scam. Image:* *CertiK*

Zentoh revealed in another message the pair used Telegram to communicate. CertiK found an exact match for the pseudonym on the messaging app and identified it “to be running a Telegram group that sells phishing kits to scammers.”

The company found numerous other online accounts possibly linked to Zentoh, including one on GitHub that posted repositories for crypto drainer tools.

If the links between the accounts are legitimate, it reveals the identity of a French national living in Russia.

Cointelegraph reviewed accounts potentially related to the person and found public accounts that seemed to be interested in cryptocurrencies. Cointelegraph contacted the person but did not immediately receive a response.

Cointelegraph will not publish the name of the person due to privacy concerns.

Crypto wallet-draining phishing scams have unfortunately been used to great effect recently.

The co-founder of the Moonbirds NFT collection, Kevin Rose, fell victim to such a scam that lead to over $1.1 million worth of his personal NFTs being stolen.

The crypto wallet of the influencer known on Twitter as “NFT God” suffered a similar fate after they downloaded malicious software from a Google Ad search result, with ETH and high-priced NFTs pilfered from the wallet.

Sam Bankman-Fried deepfake attempts to scam investors impacted by FTX

November 22, 2022 Coin Telegraph

Coin Telegraph

A faked video the FTX founder created by scammers has circulated on Twitter with users poking fun at its poor production quality.

A faked video of Sam Bankman-Fried, the former CEO of cryptocurrency exchange FTX, has circulated on Twitter attempting to scam investors affected by the exchange’s bankruptcy.

Created using programs to emulate Bankman-Fried’s likeness and voice, the poorly made “deepfake” video attempts to direct users to a malicious site under the promise of a “giveaway” that will “double your cryptocurrency.”

Over the weekend, a verified account posing as FTX founder SBF posted dozens of copies of this deepfake video offering FTX users "compensation for the loss" in a phishing scam designed to drain their crypto wallets pic.twitter.com/3KoAPRJsya
— Jason Koebler (@jason_koebler) November 21, 2022

The video uses appears to be old interview footage of Bankman-Fried and used a voice emulator to create the illusion of him saying “as you know our F-DEX [sic] exchange is going bankrupt, but I hasten to inform all users that you should not panic.”

The fake Bankman-Fried then directs users to a website saying FTX has “prepared a giveaway for you in which you can double your cryptocurrency” in an apparent "double-your-crypto" scam where users send crypto under the promise they'll receive double back.

A now-suspended Twitter account with the handle “S4GE_ETH” is understood to have been compromised, leading to scammers posting a link to the scam website — which now appears to have been taken offline.

The crypto community has pointed to the fact that scammers were able to pay a small fee in order to get Twitter’s “blue tick” verification in order to appear authentic.

Meanwhile, the video received widespread mockery for its poor production quality with one Twitter user ridiculing how the scam production pronounced “FTX” in the video, saying they’re “definitely using [...] ‘Effed-X’ from now on.”

At the same time, it gave many the opportunity to criticize the FTX founder, one user said “fake [Bankman-Fried] at least admits FTX is bankrupt” and YouTuber Stephen Findeisen shared the video saying he “can’t tell who lies more” between the real and fake Bankman-Fried.

Authorities in Singapore on Nov. 19 warned affected FTX users and investors to be vigilant as websites offering services promising to assist in recovering crypto stuck on the exchange are scams that mostly steal information such as account logins.

The Singapore Police Force warned of such a website which prompted FTX users to log in with their account credentials that claimed to be hosted by the United States Department of Justice.

Others have attempted to profit from the attention FTX and its former CEO are receiving. On Nov. 14, shortly after Bankman-Fried tweeted “What” without further explanation, some noticed the launch of a so-called “meme token” called WHAT.

Somebody just launched a $WHAT token and it’s done a 4x.

It’s over. pic.twitter.com/VB2UtENSGH
— Tyler (@ApeDurden) November 14, 2022

“Deepfake” videos have long been used by cryptocurrency scammers to try to con unwitting investors. In May, faked videos of Elon Musk promoting a crypto platform surfaced on Twitter using footage from a TED Talk the month prior.

The video caught Musk’s attention at the time, who responded: “Yikes. Def not me.”

Beeple’s Discord URL ‘hijacked,’ directing users to wallet drainer

October 4, 2022 Coin Telegraph

beeple

Other users in the crypto Twitter Community believe lax security management is to blame for the latest phishing scam aimed at Beeple's fans and followers.

Non fungible token (NFT) artist Mike "Beeple" Winkelmann has found himself the target of phishing scammers yet again, warning users that the URL link to his official Discord server was “hacked” — sending unaware new members to a wallet draining Discord channel if they follow the link.

In an Oct. 3 post, the NFT artist warned users not to go into the "fraudulent" Discord channel and verify as it will “drain your wallet.”

it appears our discord URLs were hacked to point to a fraudulent discord. DO NOT go into that discord and do not verify, it will drain your wallet!!

once again massive thanks again to discord for being garbage.
— beeple (@beeple) October 3, 2022

However, Beeple wasn’t the first to notice the URL slight-of-hand, with Twitter user maxnaut.eth noting in a post hours earlier that the Discord link connected to the Beeple: Everydays - 2020 Collection on NFT marketplace OpenSea marketplace may have been “hijacked.”

The screenshot shared by maxnaut.eth suggests that the URL points to a “CollabLand wallet drainer,” showing a Collab.Land Bot on Discord which directs members to verify account ownership — instead it works to drain their wallets, noting:

"Your Discord URL probably got hijacked and your team didn't update it on OS. You need to change that ASAP or people going to get rekd."

While Beeple claims the URLs were hacked and that Discord is to blame, other crypto Twitter community members are arguing that lax security measures are truly to blame.

NFT analyst and blockchain detective "OKHotshot" replied to the artist's announcement, stating the URLs were not hacked but instead alleging: "Mismanagement of discord URLs allows this happen, probably just like it happened to CryptoBatz."

While cybersecurity firm Black Alchemy Solutions Group commented their belief that it was not "a Discord problem."

"This is a problem with a mismanagement of the Beeple Information Security apparatus. If you haven't already, hire a vCISO (Security Officer), web3 doesn't = Natively Secure."

It appears that the misdirecting Discord URLs have been fixed by the artist, according to maxnaut.eth, noting that it “Seems Beep Man picked it up and has fixed it now."

At the time of writing, the Discord link in the affected Opensea listing also appears to be gone.

Beeple's social media and messaging platforms appear to be a popular target for scammers and hackers, having sold some of the most expensive NFTs on record, including the First 5,000 Days, a compilation of 5000 pieces of artwork that sold for $69.3 million.

Elon Musk's spacecraft manufacturer Space X, tech giant Apple, luxury brand Louis Vuitton and other high-profile companies and individuals are all listed as clients on Beeple's website.

In May, a phishing scam netted $438,000 in crypto and NFTs through a hijacking of his Twitter account, linking to a raffle purporting to be related to a Louis Vuitton NFT collaboration.

In Nov. 2021, his Discord was part of another scam, where an admin account was compromised and a fake NFT drop was advertised, netting the scammers an estimated 38 Ether (ETH) worth roughly $176,378.14 at the time.

Beeple did not disclose how many users may have been impacted by the current malicious Discord links.

Cointelegraph has reached out to Beeple but has not received an immediate response at the time of publication.

British Army’s social media accounts hacked by crypto scammers

July 4, 2022 Coin Telegraph

account compromise

Hackers had access to multiple official social media accounts of the British Army for nearly four hours, when they posted crypto phishing links and scams.

The British Army’s official Twitter, Facebook, and YouTube accounts were breached on July 3 for almost four hours, with scammers promoting rip-off non-fungible token (NFT) collections and cryptocurrency scams.

Just after 2PM ET on July 3, the United Kingdom Ministry of Defence (MOD) Press Office tweeted it was aware the Army’s social media accounts were compromised and had begun an investigation.

Nearly four hours later, close to 5:45PM ET, the Office provided an update that the account breaches were resolved. The British Army's official Twitter account also apologized for the posts, saying it would conduct an investigation and “learn from this incident.”

The breach of the Army’s Twitter and YouTube accounts that occurred earlier today has been resolved and an investigation is underway.

The Army takes information security extremely seriously and until their investigation is complete it would be inappropriate to comment further.
— Ministry of Defence Press Office (@DefenceHQPress) July 3, 2022

Screenshots of the British Army’s official Twitter account posted by users show the hackers promoting at least two fraudulent derivatives of “The Possessed” and “BAPESCLAN” NFT collections.

British Army Twitter account @BritishArmy appears to have been hacked pic.twitter.com/41HPtSeln1
— OSINTtechnical (@Osinttechnical) July 3, 2022

One screenshot shows the hackers pinning a tweet to a fake mint of The Possessed NFT collection, likely a phishing link that would drain user funds if their crypto wallet was connected. Tom Watson, one of the collection's creators, warned that the information was fake and asked his followers to report the account.

The @BritishArmy has been compromised and is currently being used to shill NFTs.

Previous archive of the Twitter profile: https://t.co/dQmlxlY5l8 pic.twitter.com/gifpsOy000
— vx-underground (@vxunderground) July 3, 2022

Over on YouTube, the hackers rebranded the account to resemble the Cathie Wood-founded investment firm Ark Invest, posting live stream videos of supposed interviews with Elon Musk and Twitter founder Jack Dorsey which were being watched by thousands of people.

the British Army's YouTube page, still under the control of some crypto scammers, is running 4 consecutive livestreams with approx 19,000 people watching as we speak. would be interesting if any of them who fall for the scam could have grounds to sue the Army pic.twitter.com/oVWrDsXKZ1
— Señor Rules (@wariotifo) July 3, 2022

On the commandeered YouTube channel, the posted videos presented QR codes for viewers to send crypto to, claiming they would receive double back, and promoted other cryptocurrency giveaway scams through QR codes.

It’s unknown at this time who was behind the attack, how they achieved it, and how many people may have fallen victim to the phishing and scam links. All of the links, tweets, and related material from the account breaches have since been deleted by the British Army.

As reported by Cointelegraph, as much as $1 billion has been lost to crypto scammers in 2021, with nearly 50% of all crypto-related scams coming from social media platforms. The United States Federal Trade Commission even labeled social media and crypto a “combustible combination for fraud.”

In late May, the Twitter account of NFT artist Beeple was compromised and posted links to a phishing website which netted the attacker over $438,000 in crypto and various NFTs. The links were made to look like a “surprise mint” of a new Beeple NFT collection.

Later in June, a similar “stealth mint” phishing link was posted on the compromised Twitter account of the upcoming Duppies NFT collection, with at least one victim losing 650 Solana (SOL), worth around $18,850 at the time.

Report: Bored Ape Yacht Club Discord Attacker May Have Been Involved in Previous NFT Phishing Scams

June 7, 2022 Bitcoin.com

Targeted phishing scam nets $438K in crypto and NFTs from hacked Beeple account

May 23, 2022 Coin Telegraph

beeple

Links posted to a fake Louis Vuitton non-fungible token (NFT) raffle were made to capitalize on a recent real collaboration between Beeple and the luxury fashion brand.

Digital artist and popular non-fungible token (NFT) creator Mike Winkelmann, more commonly known as Beeple, had his Twitter account hacked on Sunday, May 22 as part of a phishing scam.

Harry Denley, a Security Analyst at MetaMask, alerted users that Beeple’s tweets at the time containing a link to a raffle of a Louis Vuitton NFT collaboration were in fact a phishing scam that would drain the crypto out of users' wallets if clicked.

⚠️ Beeple's Twitter account has been compromised (ATO) to post a phishing website to steal funds.

0x7b69c4f2ACF77300025E49DbDbB65B068b2Fda7D
0xF305F6073CFa24f05FF15CA5b387DD91f871b983 pic.twitter.com/0MPNwOPlEu
— harry.eth (whg.eth) (@sniko_) May 22, 2022

The scammers were likely looking to capitalize on a real recent collaboration between Beeple and Louis Vuitton. Earlier in May, Beeple designed 30 NFTs for the luxury fashion brand’s “Louis The Game” mobile game which were embedded as rewards to players.

The scammer continued to post phishing links from Beeple’s Twitter account leading to fake Beeple collections, luring in unsuspecting users with the promise of a free mint for unique NFTs.

Bad actors continue have access to Beeples Twitter account and they have now tweeted another phishing domain.

This one just prompts the user to send ETH to an EOA (0xcad7fc974F61A08ADEF110D1BA446fa5b5B5Bb27).

Infra: 44.227.238.106 pic.twitter.com/HzTga1OvNK
— harry.eth (whg.eth) (@sniko_) May 22, 2022

The phishing links were up on Beeple’s Twitter for around five hours and on-chain analysis of one of the scammers' wallets shows the first phishing link scored them 36 Ethereum (ETH) worth roughly $73,000 at the time.

The second link netted the scammers around $365,000 worth of ETH and NFTs from high-value collections such as the Mutant Ape Yacht Club, VeeFriends, and Otherdeeds amongst others bringing the grand total value stolen from the scam to around $438,000.

On-chain data shows the scammer selling the NFTs on OpenSea and putting their stolen ETH into a crypto mixer in an attempt to launder the gains.

Beeple later tweeted that he had regained control of his account and added to remind his followers that “anything too good to be true IS A F*CKING SCAM.”

ugh we’ll that was fun way to wake up.

Twitter was hacked but we have control now. Huge thanks to @garyvee ‘a team for quick help!!!!
— beeple (@beeple) May 22, 2022

Beeple has created three of the top ten most expensive NFTs sold to date including one which sold for $69.3 million, the most expensive ever sold to a sole owner. This attention has made him a target for hacks.

In November 2021, an admin account on Beeple’s Discord was hacked with scammers there also promoting a similarly fake NFT drop which resulted in users losing around 38 ETH.

Earlier this month, cybersecurity firm Malwarebytes released a report which highlighted a rise in phishing attempts as scammers try to cash in on NFT hype. The firm noted the use of fraudulent websites depicted as legitimate platforms is the most common tactic used by scammers.

Rare Bears Discord phishing attack nabs $800K in NFTs

March 18, 2022 Coin Telegraph

Rare Bears Discord phishing attack nabs 0K in NFTs

Coin Telegraph

The account of a moderator from the non-fungible token project was compromised in the attack, posting a phishing link that drained user wallets.

Recently launched NFT project, Rare Bears, was hit with an attack, after a hacker posted a phishing link in the project's Discord channel, stealing nearly $800,000 in NFTs.

Analysis from blockchain security firm Peckshield detailed that the attacker was able to steal 179 NFTs, including Rare Bears and other NFTs from various collections, including CloneX, Azuki, a “mfer” from artist sartoshi, and 6 LAND tokens used for The Sandbox metaverse.

According to on-chain analysis, most of the NFTs were sold, netting the hacker 286 ETH, worth over $795,500, most of which was promptly put through Tornado Cash, a crypto mixer used to obfuscate the source of funds.

A slate of similar phishing scams have occurred in recent months on Discord, suggesting some teams need to more carefully consider the security on admin accounts. Earlier today, the Rare Bears team posted that they had hired security consultant and auditor “Pandez” for a full security audit of its Discord.

How the attack happened

According to an update posted by the Rare Bears team, the hacker gained access to the account of a Rare Bears Discord moderator known as “Zhodan”, posting an announcement within the group's channel that a new mint of NFTs was taking place.

It was a fake of course — a phishing link designed to steal funds from a users' wallet.

Warning @BearsRare
Discord has unfortunately been compromised. Please DO NOT click any links, connect your wallet and block all incoming DMs in our discord. Our team are working on the situation as we speak
— Rare Bears (@BearsRare) March 17, 2022

The update from the security audit found that the head of the project’s Discord account was compromised. The attacker, using the compromised account, then banned other members, or removed their roles from the server, thereby removing their ability to delete the posted phishing link.

The attacker then invited a bot which locked all channels on the server, removing the ability for others to publicly communicate that the posts and links were fake.

Rare Bears said the team was able to regain control of the server, removing the compromised account and transferring ownership to a new one, and that the server is secure from another attack.

Speaking to Cointelegraph, security consultant Pandez said that users should look out for a few key signs that could mean a message is a scam.

“Almost no serious project will ever do a stealth mint,” Pandez said, “never click any links which appear like this.”

Pandez said other red flags are if channels are locked during a “drop” of a new NFT collection, if the link differs to those shared on Twitter or other official sources for the project, and if the link is continuously posted in the channel.

Past attacks of a similar nature have happened on Discord. In December, Solana NFT project Monkey Kingdom announced that hackers made off with $1.3 million of the community's crypto funds after a security breach. Attackers there also posting a phishing link which drained users’ wallets.

Last November, members of the Discord of popular NFT artist Beeple were also scammed, with attackers gaining access to a moderators account to post a phishing link, similarly draining user funds.

phishing scam

How the attack happened

Share this video