Rare Bear Discord Phishing Attack Steals $800K In NFTs

In the attack, a non-fungible token (NFTs) project moderator’s account was hacked, and a phishing link was posted, draining user wallets.

Rare Bears, a newly formed NFT project, was targeted by a hacker who used a phishing link in the group’s Discord channel to steal approximately $800,000 in NFTs.

The attacker was able to steal 179 NFTs, including Rare Bears and other NFTs from other collections, including CloneX, Azuki, a “mfer” from artist sartoshi, and 6 LAND tokens used for The Sandbox metaverse, according to blockchain security firm Peckshield.

According to on-chain research, the majority of the NFTs were sold, netting the hacker 286 ETH worth approximately $795,500, the majority of which has immediately sent through Tornado Cash, a crypto mixer used to hide the source of funds.

A slew of similar phishing attempts has surfaced on Discord in recent months, implying that certain teams should specialist attention to the security of admin accounts. The Rare Bears team announced earlier today that it has recruited security specialists and auditor “Pandez” to conduct a complete security assessment of its Discord server.

How The Attack Happened

According to a Rare Bears team update, the hacker got access to the account of “Zhodan,” a Rare Bears Discord moderator, and issued a statement within the group’s channel announcing a new mint of NFTs.

Of course, it was a hoax – a phishing link designed to steal money from a user’s account.

The security audit discovered that the project’s leader’s Discord account had been hacked. Using the hijacked account, the attacker then banned or revoked other members’ roles from the server, therefore removing their ability to erase the phishing link.

The attacker then invited a bot to the server, which froze all channels and prevented others from publicly revealing that the postings and links were phony.

The team was able to reclaim control of the server, removing the compromised and transferring ownership to a new one, and the service is a lookout against further attacks, according to Rare Bears.

Pandey, a security analyst, told Cointelegraph that Pandey should lookout for a few crucial signals that communication is a hoax.

“Never visit any websites like this,” Pandey added. “Almost no legitimate project will ever perform a stealth mint.”

Other red signals, according to Pandey, are if channels are locked during a “drop” of a new NFT collection, if the link is different from those provided on Twitter or other official sources for the project, and if the link is presented in the channel regularly.

On Discord, similar attacks have occurred in the past. After a security breach, Monkey Kingdom, a Solana NFT project,

claimed in December that hackers had made off with $1.3 million of the community’s crypto money. Attackers also posted a phishing link, draining users’ bank accounts.

Members of popular NFT artist Beeple’s Discord were also defrauded last November, with attackers obtaining access to a moderator’s account and posting a phishing link, depleting user cash.