Two Web3 security firms have issued reports focused on the recent scourge of hacks targeting NFT projects, likely by a linked group of hackers using compromised Discord server administrator accounts.
According to a recent analysis by TRM Labs, cyber attacks against NFT collections have steadily risen in 2022, costing the NFT community over $22 million in May alone. NFTs are blockchain-based tokens that show ownership over digital or physical assets.
In the report, TRM Labs—which specializes in digital asset compliance and risk management—says cyberattacks linked to NFT minting scams deployed through compromised Discord accounts subsequently increased by 55% in June 2022 compared to the previous month.
"Since 2022, we've seen these compromises happening at scale, specifically on Discord," TRM Labs investigator Monika Laird told Decrypt in an interview.
The NFT community has suffered more than 150 compromises targeting NFT projects' Discord servers since May 2022. A sampling… (1/2) pic.twitter.com/cEdPaV5mQI
— TRM Labs (@trmlabs) July 25, 2022
TRM Labs says it has received over 100 reports of Discord channel hacks in the past two months through its Chainabuse reporting platform. Laird says that the attacks happen weekly and often target ERC-721 tokens, which is a token standard on the Ethereum blockchain for non-fungible tokens.
On the on-chain side, she said the relationship between the common consolidation points (exchanges, mixers) and wallets suggests that the same actors run the bulk of these attacks.
Our security team has been tracking a persistent threat group that targets the NFT community. We believe that they may soon be launching a coordinated attack targeting multiple communities via compromised social media accounts. Please be vigilant and stay safe.
— Yuga Labs (@yugalabs) July 18, 2022
Yuga Labs, the company behind the NFT status symbol Bored Apes Yacht Club, said on Twitter last week: "Our security team has been tracking a persistent threat group that targets the NFT community. We believe that they may soon be launching a coordinated attack targeting multiple communities via compromised social media accounts. Please be vigilant and stay safe."
TRM Labs says on-chain data suggest many of the Discord compromises are linked to the same hacker that targeted the Bored Ape Yacht Club in June. According to the firm, other targeted projects include Bubbleworld, Parallel, Lacoste, Tasties, Anata, and more.
Our Discord servers were briefly exploited today. The team caught and addressed it quickly. About 200 ETH worth of NFTs appear to have been impacted. We are still investigating, but if you were impacted, email us at firstname.lastname@example.org.
— Bored Ape Yacht Club (@BoredApeYC) June 4, 2022
As Laird explained, there have been over 150 compromises since May targeting an admin role within a larger NFT project channel. Once the hackers control the admin account, they send out links to promotional giveaways and "exclusive" NFTs mints pushing people to jump into these malicious websites by creating a false sense of urgency.
"It isn't necessarily that Discord in and of itself has a weakness, but it just makes it a very target-rich environment," says Chris Janczewski, head of global investigations at TRM Labs. "If you're looking for people that own NFTs, you go to a place where they're all hanging out, and you have a point to be able to make [contact] with them."
While cyberattacks targeting Discord have been successful, Laird pointed out that hackers also compromised Twitter and Instagram accounts in recent months.
TRM Labs says that the rate at which the attacks are happening, and the fact that they occur across multiple blockchains, suggests that they could be separate attacks by rival cyber criminals running scams at the same time using tools provided as a "Scam-as-a-Service," turn-key, pay-as-you-go services to launch attacks.
In a separate report due out Thursday and previewed by Decrypt, blockchain security firm Halborn has also seen an increase in threats targeting crypto, separately pointing to the North Korean Lazarus Group, which the U.S. Treasury Department claims orchestrated the $622 million hack of the Axie Infinity Ronin Network.
While TRM Labs did not specify where the attacks are coming from, Halborn sees the threat originating from within China.
"Our analysis indicates that this attack came from a Chinese group that aims for high-value individuals," Alpcan Onaran, Halborn offensive security engineer, told Decrypt via Telegram. "We are expecting a logarithmic increase in advanced persistent attack (APT) activity and also expect to see different adversaries targeting Web 3.0 companies and individuals."
Onaran says that in Web3, security should be considered in all aspects, both technically and non-technically, to defend against these new threats.
"There's a saying that there's no such thing as new crimes [or] new scams; there are the old ones repackaged," Janczewski says. "So it makes perfect sense that all the kind of spear phishing, the FOMO, the getting people to do things irrationally very quickly, has pivoted into the new space, which is NFTs."