A Discord bot that is often used to automate moderation and message display functions was compromised, enabling the hackers to send spam and malware messages from trusted administrative sources to chat users. The attackers targeted a variety of NFT platforms, with the biggest name being the recently breached game Axie Infinity.
$41 billion NFT market preyed on by hackers due to lax security, variety of opportunities
The NFT market is a prime target for hackers given the vast amounts of money moving around in it, paired with a “Wild West” attitude toward regulation that has made platforms and projects entirely responsible for their own security. Not all are keeping pace with the advanced threats that are targeting the millions of dollars that they hold.
It is still not entirely clear who was responsible for the Discord bot breach, with the compromised projects blaming the developers of Mee6 for faulty code and the developers blaming the compromise of an employee account with administrative privileges. Whatever the case, a variety of channels that had implemented the Discord bot saw it suddenly begin passing messages with spam and malware links to users. This is not the first time that hackers have targeted the Discord channels of NFT projects, but previous incidents (most notably two attacks on Bored Ape Yacht Club earlier in 2021) targeted weaknesses in individual channels rather than compromising an “upstream” provider to hit multiple victims at once.
Hackers have targeted NFTs, and more broadly the decentralized finance platforms that usually underpin them, due to perceived weakness in how they are structured and run. NFT projects generally do not have an appropriate level of IT security staffing, are often undisciplined about connecting personal devices and what the internal network is used for, and have an “it’s bound to happen at some point” attitude about breaches.
Downstream attacks from Discord bot promised fake NFTs, attempted to pass malicious links
Some of the NFT programs that received malicious messages from the rogue Discord bot, including projects backed by Nike and internet humor site 9GAG, were attempting to sell users fictitious “newly minted” NFTs. Others saw the hacker include malicious links to malware sites.
The messages took advantage of the inherent trust that users put in Discord bots. The bots are assumed to be run by the admins, and often include messages from the people running the servers. If the bot makes an announcement or includes a link, there may be no particular reason to be suspicious of it if it is a well-crafted scam. The Axie Infinity Discord bot attack added a layer to the scheme by pretending to be a series of announcements from one of the game’s well-known co-founders.
The developers of Axie Infinity, which was recently hit for over $600 million in an unrelated attack, told users that the Discord bot had been taken care of but that some of the spam messages might continue to appear until they restart their Discord.