Hi Everyone,
The team has spent the morning investigating what had happened to our server engineer. It's an unfortunate thing to have happened to one of our team members, and even more unfortunate that our community members have been affected by this scam/hack.
We want to raise awareness and be transparent on how this occurred - hopefully this will save other project admins from falling for the same scam.
A really good breakdown by Serpent was posted on Twitter - (https://twitter.com/SerpentAU/status/1485002643370037254), thank you Serpent for bringing awareness to this hack.
Unfortunately our server engineer fell victim to this unsuspecting scam as well.
A brief breakdown:
- He was invited into a large NFT's Discord server (suspected to be fake, with fake members). Their Discord was active and had 40,000 or so members with genuine conversations.
- He was then approached by their "server owner" to discuss a potential collab and provide feedback.
- He then gave our server engineer their website that was also posted on their Discord's official links.
- Our server engineer clicked on the link which doesn't work and doesn’t load a as a regular website.
- The "server owner" would then proceed to say that the website is not yet live. Instructing our engineer that he should bookmark it and he would let us know when it operating.
- The bookmarking enables a JavaScript code execution which reads our engineer’s discord localstorage - where his TokenID is located and then sends his token to their webhook.
- By obtaining our server engineer's discord token, it allowed the hackers to log into his account without needing a password and fully bypassed his 2FA. The only way to change the discord token is to change your password.
The hack lasted for around 7 minutes before we were able to regain full control of the server. Around 31 ETH has been stolen from the victims.
** We will be compensating these people once we complete our investigations.
** The money that will be used to compensate the victims will NOT come from the community vault and will come out of our personal funds.
We have taken the following actions so far:
- The team has all reset their passwords to their discords and emails.
- The engineer who has been compromised has been removed from the server.
- ALL bots have been removed, we will slowly add them back in once we finish reviewing all permissions.
- We have gotten our developers to investigate the code in the fake website for any malicious coding that could affect our holders in the long term.
- Confirmation the scam site has been suspended effective now (01 February 2022 15:02 NZT
Regarding the scam website, our dev team has confirmed the following:
- The mint function on the website only sent ethereum, it did not compromise the wallets in such a way that they can further drain funds or transfer NFTs.
- The mint function on the website pretended to be a function call to a smart contract, calling the function buyTokens, however, this is only a cosmetic attempt to fool Metamask, so that your Metamask will make it look like a mint function, when in reality all it does is send eth to a non-contract address.
- HOWEVER, to be safe, if you were affected by the scam or visited the website, we still recommend you to transfer your funds and NFTs to a new safe address.
We would like to remind everyone to be careful on clicking ANY links and that the team will NEVER DM you first.
Take care everyone!
