On Tuesday, December 21st, two NFT projects fell victim to the same attack. Like many projects in the crypto world, the NFT collection Monkey Kingdom and in-game asset marketplace Fractal both engaged heavily with their communities through Discord chat servers. Both projects were about to distribute rewards to their community members: Monkey Kingdom through an NFT presale on the day of the 21st and Fractal through a token airdrop — essentially a free distribution to early supporters — a few days later.
Then, disaster struck. Posts appeared in the official “announcements” channel of each project claiming that a surprise mint would reward community members with a limited edition NFT. Hundreds jumped at the chance — but for those who followed the links and connected their crypto wallets, a costly surprise was waiting. Rather than receiving an NFT, wallets were being drained of the Solana cryptocurrency, which both projects used for purchases.
In the space of an hour, a Twitter post, first from Monkey Kingdom and then from Fractal, informed followers that their Discord servers had been hacked; news of the NFT mints was bogus, the links a phishing fraud. In the case of Fractal, the scammers got away with about $150,000 worth of cryptocurrency. For Monkey Kingdom, the estimated total was reported to be $1.3 million.
Neither attack targeted the blockchain or the tokens themselves. Instead, the thieves exploited weaknesses in the infrastructure used to sell the tokens — specifically, the Discord chatrooms where NFT fans gather. It’s a reminder of a persistent weakness in the growing NFT economy, where surprise drops have primed buyers to move fast or risk missing out. But the same techniques that hype up a sale can also open the door to hackers — and in this case, a single compromise can end up spreading to more than one community at once.
In this case, the NFTs thieves had targeted a feature known as a webhook. Webhooks are used by many web applications (Discord included) to listen for a message sent to a particular URL and trigger an event in response, like posting content to a certain channel. You can think of a webhook like a secret phone number, a unique identifier that can be “called” (or, in a closer approximation, “texted”) to connect to an application on the other end.
By gaining access to webhooks belonging to the Fractal and Monkey Kingdom Discord servers, the hackers were able to send messages that were broadcast to all members of certain channels: a feature meant to be used only for official communications from the project teams. This was where the fake “announcement” had come from and why it had pointed to a scam address. In hindsight, the content should have raised some red flags — but given the distribution method, it looked just legitimate enough that many were fooled.
Discord webhooks are used to automate messages based on activities in other applications: for example, the official documentation describes making a bot that notifies a channel of new GitHub commits. But it’s easy to lose track of those bots amid the various third-party service integrations, and crucially, there’s no way to switch off all of them at once if you’ve been hacked. The result is a major opportunity for attackers and a liability for any Discord communities who aren’t paying attention to their integrations.
A Discord spokesperson said the company cautioned people to be careful when giving others access to their devices and personal information and pointed to guidance made available through its Moderator Academy resource center.
“Discord takes the safety of all users and communities very seriously, including social engineering attacks like these,” said Peter Day, senior manager of corporate communications at Discord. “While there are clear controls in place, we are always working to make it harder for these attacks to happen and will continue to invest in education and tools to help protect our users.”
The origin of the hack appears to have been a service called Grape Network, which provides community management tools to Fractal, Monkey Kingdom, and hundreds of other crypto projects that used Discord. Roughly a week before the cryptocurrency theft, an employee of Grape Network going by the screen name Arximedis had been caught by a separate scam on another Discord server entirely, this one belonging to Solana.
By first manipulating a Solana moderator, then Arximedis himself, through a phishing attack that involves getting the target banned, the hackers had managed to obtain an account access token that let them perform actions on behalf of the Grape administrator. It was enough to let them create an avenue to send messages to the Fractal and Monkey Kingdom Discord channels. With the groundwork in place, the hackers kept quiet and waited for a time to strike.
Grape Network founder Dean Pappas confirmed to The Verge that his colleague had been the target of the initial hack and that this first hack had been exploited to create the webhooks that were used in the second. “This is one of those things that really hurts you, both in terms of pride and professionalism,” Pappas said. “It’s a very difficult situation.”
In a statement sent via Twitter, the head of the Monkey Kingdom project (who asked to be referred to by the pseudonym “Monkey King”) said that additional security measures had now been put in place to avoid future attacks and ensure the safety of users. The Monkey King also pointed to the money raised by the project to refund victims of the scam.
NFT projects are particularly vulnerable to this kind of attack because they move so quickly. Hyped projects often sell out within hours — or sometimes minutes — so early adopters are conditioned to act fast. And Discord, now the go-to platform for NFT communities, is where the early intel on presales and airdrops is released first. That means community members are primed to jump on any announcements that give them an edge, which, in turn, lets scammers leverage fake messages to devastating effect.
In the most heated drops, making a successful transaction can be difficult even for the early movers. A Chainalysis examination of one popular project showed that more than 26,000 unsuccessful mint transactions occurred within the first hour after launch, each of which used up nonrefundable transaction fees. All told, more than $4 million was spent on gas fees for unsuccessful transactions.
There’s no indication yet that the NFT craze will slow in 2022, which means there’ll be no shortage of new projects looking to scale by using off-the-shelf solutions to build their infrastructure. There are signs that Discord, the beating social pulse of the NFT community, is also a goldmine for unscrupulous individuals looking to separate marks from their hard-earned coins — but perhaps as techniques of moderation and server administration in the community improve, more rigorous management of problem areas (like webhooks and third-party plugins) will reduce risk.
The good news is that, for the two projects affected by this particular hack, there may be sunnier days ahead. Fractal, the game asset marketplace, went live on the penultimate day of 2021. And having reimbursed money that was lost by members, Monkey Kingdom is relaunching the NFT line that was interrupted by the hack. The community is loyal, the Monkey King told us, and fans are once again ready to pick up a deal.