Early Friday morning, the Discords of multiple major NFT projects were hacked as part of a phishing scam to trick users into handing over their digital jpegs.
Bored Ape Yacht Club, Nyoki, and Shamanz confirmed Discord hacks in tweets. According to screenshots shared by independent blockchain investigator Zachxbt, the Discords of NFT projects Doodles and Kaiju Kingz were also targeted. Doodles and Kaiju Kingz confirmed in their Discords that they were also hacked.
“Oh no, our dogs are mutating,” read one of the phishing posts posted in the BAYC Discord by a compromised bot viewed by Motherboard. “MAKC can be staked for our $APE token. Holders of MAYC + BAYC will be able to claim exclusive rewards just by simply minting and holding our mutant dogs.”
The goal of the hack was to trick users into clicking a link to “mint” a fake NFT by sending ETH and in some instances an NFT to wrap into a token.
“STAY SAFE. Do not mint anything from any Discord right now. A webhook in our Discord was briefly compromised,” the official BAYC Twitter account said early Friday morning. “We caught it immediately but please know: we are not doing any April Fools stealth mints / airdrops etc. Other Discords are also being attacked right now.”
The Twitter account for Nyoki sent out a similar warning. "Along with blue-chip projects like BAYC, and Doodles, our server was also compromised today due to a recent large-scale hack," the tweet said. "We have taken everything under control in less than 30 minutes.
Two wallet addresses have been tied to the hacks, now labeled Fake_Phishing5519 and Fake_Phishing5520 on blockchain explorer Etherscan. At least one Mutant Ape Yacht Club NFT (a BAYC spinoff by developer Yuga Labs) was stolen and quickly sold by the 5519 wallet, which sent 19.85 ETH to the 5520 wallet. This second wallet sent 61 ETH ($211,000) to mixing service Tornado Cash early Friday morning. The latest transaction of that wallet is a transfer of .6 ETH to a previously inactive wallet that then sent the same sum to an incredibly active wallet currently sitting on 1,447 ETH ($5 million), 6 million Tether coins ($6 million), and an assortment of other tokens.
This is not the first attack targeting crypto assets on Discord, which is a central hub for the vast majority of projects despite being a gaming-focused platform, nor will it be the last. Crypto projects already have to contend with exploits that take advantage of smart contract bugs, but the fact that an inordinate number of them also live on Discord exposes them to scams that exploit the platform itself.
We’ve already seen numerous high-profile accounts fall victim to schemes that hijacked bots responsible for channel-wide announcements and promoted sites to steal ETH, NFTs, or wallets. None of this is likely to stop anytime soon given how central Discord is to various communities and their ability to instantly share updates, collaborate on projects, or share ideas.
Discord did not immediately respond to Motherboard’s request for comment.