A Discord bot widely used by NFT projects, most notably the very popular (and very recently breached) game Axie Infinity, was compromised leading to scam messages being passed to users. A hack of the “Mee6” bot used to moderate Discord channels led to scam messages being passed in these communities, with the hackers posing as one of the co-founders of the game in the case of the Axie Infinity incident.
Discord bot breach leads to scam attempts in multiple services
Along with Axie Infinity, the compromise of the Mee6 Discord bot led to spam messages in several other NFT services: the 9GAG-backed Memeland series, Nike-owned RTFKT and CLONEX, Phantom Network (PXN) and the Proof platform’s “Moonbirds” series. The Web3 infrastructure of CyberConnect, a social graph protocol, was also reportedly compromised via a Discord bot that began to pass malware links to users.
The Axie Infinity attack saw the hackers first post messages that appeared to be from the account of one of the game’s co-founders, and then eventually announce a fake NFT mint in an attempt to scam users. The developers have since removed both the fake messages and the compromised Discord bot, but issued social media posts warning users that they might still encounter the scam messages until they restart their Discord.
Other NFT services reported similar attempts at scams and passing of malware links using what appeared to be a compromised Discord bot. However, the developers of Mee6 say their engineers have conducted an internal investigation and see no evidence of a breach. They said that the hackers instead had managed to compromise an employee account, and that the issue has since been resolved.
Mee6 is a very popular Discord bot that automates a wide variety of functions: some basic moderation, sending of administrator messages, playing of music, and more. It is used by some 16 million Discord servers around the world. Automated Discord bots like Mee6 are a major security concern because their messages are generally trusted by the user community, who assume that the message originates from the people running the server. If a Discord bot is compromised and the attack messages are crafted well enough, there is ample reason to believe the entire Discord chat will follow them and end up being phished, downloading malware or paying into some fraudulent scam.
NFTs a hot target for scammers and hackers
Though the NFT market has cooled somewhat in recent months, attacks on it have picked up. A combination of oversights leading to breach openings and creative phishing of wallet holders have made it one of the hottest areas of cyber crime.
Using Discord bots to pass spam messages is actually relatively benign compared to some of the schemes that have surfaced since 2022 began. An attack on the Instagram account of the Bored Ape Yacht Club (BAYC) in April was somewhat similar to the Discord bot attack in that the hacker used a breach to announce a fake minting of new NFTs, but over $3 million in sought-after monkey images was stolen as the attacker convinced followers of the account to connect their crypto wallets. And though they were separate issues that did not involve the same Discord bot, BAYC’s Discord was hacked in both February and early April. One of those incidents saw the theft of a Mutant Ape Yacht Club NFT valued at about $69,000.
Popular NFT platform OpenSea was also successfully phished in February, with about $1.7 million in digital assets stolen from multiple site users. This attack exploited a previously unseen vulnerability in the smart contracts that underpin NFTs, essentially tricking OpenSea users into signing an “attack contract” that worked as a blank check with which to drain their accounts.
Hackers are not just interested in NFTs, but in the broader world of decentralized finance. These platforms are seen as being generally less secure than their more traditional crypto counterparts. Axie Infinity was an example of this, getting hit by the Discord bot scheme just as it begins to recover from a $625 million theft that took place in late March. That attack saw the hackers socially engineer their way into accounts with administrator privileges, and it is now believed that North Korea’s state-backed hackers may have been responsible for it. That attack threw a harsh light on the emerging “proof of stake” systems that are sometimes touted as a way to reduce the energy consumption of cryptocurrency.
It’s not just the vulnerabilities that emerge in underlying code or platform structures, or the ability to phish wallet holders, but a seemingly lackadaisical attitude toward cyber security that appears to be rampant in the market. Platforms do not necessarily put in the investment, effort and manpower that should be appropriate for something that handles millions of dollars in transactions.
As Roger Grimes, data-driven defense evangelist at KnowBe4, notes: “The key lesson here is that anyone in the potential attack chain of cryptocurrency or NFTs has to be secured as if they were a high-security government agency. Most are not. Most are full of staff who are playing like they know what they are doing and who are absolutely not treating their work devices and environments as the high-risk targets that they are. Cryptocurrency and NFTs are different and very attractive to attackers. If an attacker finds a vulnerability in a regular finance service or website, they still have to take a lot of steps to turn that vulnerability into stolen value. If that value is stolen, the victim(s) can recover it most of the time. Cryptocurrency and NFTs are different. When an attacker finds a vulnerability in cryptocurrency or NFTs, it almost always directly leads right to value theft and the victim almost always has no way of recovering that stolen value … They need to make sure they are running a super secure environment and devices. Their admins cannot be surfing the web, picking up email and downloading whatever they want all the time. They have to lock down all devices and software with high-security configurations, require phishing-resistant MFA to log in, run application control problems backed by a secure hypervisor chip, aggressively patch all exploitable software and aggressively educate their employees on how to recognize and prevent phishing attacks … It is not super reassuring for the spokesperson of the compromised service to say they expect future compromises and users just have to live with that possibility. On one hand, it is the reality, but it does not instill as much confidence as if the spokesperson were to say they understand the vulnerabilities that allowed this to happen, have taken steps to make sure they never happen again, and that they are changing their whole infrastructure to take security more seriously.”