Scammers stole NFTs using Discord. Axie Infinity and other recent cases.

The latest phishing attacks on big NFT Discord Servers

On May 18, the crypto community learned about phishing attacks on many popular NFT Discord servers, including Memeland by 9GAG, Proof/Moonbirds, RTFKT, APIENS, Cool Cats, Burrito Boyz, and Axie Infinity. The scammer stole numerous NFTs for potentially millions of dollars in losses.

Phishing Scam in Detail

The scammer used various popular Discord servers to spread phishing links disguised as the “Official Mint Site” for a chance to get a newly released NFT for free. In what seemed to be a verified message, the discord server community was informed about the release of an “exclusive” NFT for a cost of 0 ETH. The total supply was limited to 200. Minters would only have to cover gas. How convenient! Future owners of the NFT would also earn “.05% of all aftermarket sales” paid in some token each week thanks to some staking pool. The message notes that everyone would have an equal chance of “getting their hands on one.” The statement provided a link to the “official mint site,” this was the phishing link. The message ended with a routine reminder to approve the transaction, “Be sure to approve the transaction to enable staking features!” The scammer posted similar or slightly modified messages to different crypto and NFT servers on Discord.

Users who clicked on the phishing link were transferred to an unremarkable website prompting them to approve the transaction and pay the gas fee. The transaction showed 0 ETH in total. Victims who signed the transaction unknowingly agreed to transfer their NFT to the scammer’s wallet. The scammer already sold some NFTs for 55 ETH ($110K), but most stolen assets worth millions of dollars remain in their wallet.

Discord servers all got compromised from a single bot

It was a classical scamming scheme: quickly click the link below for a chance to get something for free. However, this phishing attack was different and more sophisticated. The message came from a verified account, not just a spam account or regular user. On top of that, the same verified scam message appeared on many different Discord servers simultaneously. 

How could the scammer post verified messages on Discord servers? After all, the announcement was too good to be true, but it came from the official channel.

The answer is that the scammer compromised the Mee6 bot to add posting permissions to their fake account. With these permissions, the scammer was able to post their fake messages on public channels. Everyone was able to see these announcements. Mee6 Bot is used by hundreds of Discord servers, including the big NFT projects. As a result, the scammer compromised many popular NFT Discord servers at once.

Preventing the Attack

This attack could have been prevented on two different levels: platform and user. Admins of a Discord server should not grant unrestricted posting permissions to third-party applications, such as bots. Understandably, users have fallen for the scam because the message appeared verified. Nevertheless, users should be very cautious when approving transactions with their wallets. If it is too good to be true, it probably is.