Hackers compromised several Discord servers of popular NFT projects on Tuesday in an attempt to trick users into giving up cryptocurrency or buying fake NFTs.
Late on Tuesday night, the blockchain cybersecurity firm PeckShield published an alert on Twitter warning that the Discord servers of the NFT projects Memeland, PROOF/Moonbirds, RTFKT, as well as the web3 infrastructure company CyberConnect, were compromised, the latest in a string of hacks against NFT projects through their Discord servers.
CyberConnect confirmed the hack on Twitter, asking users not to click on any link on Discord, and reminding them that the project will never ask for their private keys.
Memeland also alerted users on Twitter and inside Discord, where the project posted a message saying a compromised bot posted announcements with “fake links.”
“A discord bot (mee6) seems to be compromised across various high profile servers, including Proof/Moonbirds, RTFKT, PXN, and us,” a Memeland team member wrote. “Stay vigilant all the time. Deauthorize unused/unknown apps in your settings. Do not click on any links. And as always: DON’T TRUST. VERIFY.”
Alien Frens, another NFT project, also confirmed the hack on Twitter saying: “we were hacked as with many others today, we’re not sure how they infiltrated yet.”
According to the Memeland announcement, hackers allegedly took control of the Discord bot mee6. This is a tool that Discord server owners can use to automate welcome messages, inform about server rules, topics, and events, according to the bot’s official website, which claims the bot is used by more than 16 million Discord servers.
Mee6 did not respond to a request for comment sent via email and Twitter DM.
Do you have more information this hack? Or other web3 and crypto hacks? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wickr/Telegram/Wire @lorenzofb, or email firstname.lastname@example.org
On Twitter, the company confirmed hackers took over one of its employees’ account, and that was the reason hackers were able to post phishing links on several Discord servers.
“Some servers have reported MEE6 being used to post unwanted messages. There is no technical breach in our systems. This was due to one of our employee's account getting compromised,” mee6 wrote in a tweet. “The issue is now fixed and we've taken all the steps to make sure it never happens again. We take security very seriously, and will always be committed not only to keep our systems safe but also add extra measures to protect servers from accounts being compromised.”
RTFKT, Alien Frens, and PROOF/Moonbirds did not respond to a request for comment sent via Twitter DM.
Bots are widely used inside Discord to automatically post announcements across channels and reach users in a more automated and effective way. That’s also what makes them great targets for hackers, because they essentially serve the purpose of being official messages from the admins of the Discord server.
The co-founder of blockchain security firm Zellic, who asked to be referred to only as Stephen, explained to Motherboard that compromised bots are one of the biggest risks crypto projects and their users face.
“If that bot ever got compromised, the back end that controls the bot ever got compromised, that'd be fucking nasty dude. Because then you could just post an announcement saying like, ‘Oh, blah, blah, blah, go to this link,’ and then people will believe it because it's the freaking bot. And then you'd be able to fish like a bajillion people,” Stephen said in an interview about the pitfalls of using Discord. “That would be such a credible piece of bait that I'm sure hundreds or thousands of people are gonna fall for that. [...] Those bots are a huge liability when it comes to security.”
A hacker who claimed to be involved in hacks of Discord servers—but not these particular ones—said that going after mee6 makes sense because “it’s a big bot so it’s a good way to get access to big servers.”
UPDATE, May 23, 4:00 p.m. ET: This story was updated to remove the name of the hacker, since Motherboard was not able to verify their name.