IOI
On Tuesday morning, buyers intending to get a limited-edition NFT from Fractal, a new marketplace for gaming item NFTs, were given an unpleasant and costly surprise when it was found that a link issued through the project’s official Discord channel was a crypto-stealing scam.
Instead of receiving an NFT, users who clicked the link and connected their crypto wallets discovered that their Solana (SOL) cryptocurrency holdings were emptied and transferred to the scammer’s account. Tim Cotten, the founder of another NFT gaming project, put the worth of SOL stolen at roughly $150,000 in a Medium article.
Fractal is a Twitch co-founder Justin Kan’s firm that specialises in the buying and selling of NFTs that represent in-game assets. It was unveiled earlier this month and soon grew to over 100,000 users on Discord, making it a target for the same scammers that have plagued NFT ventures since the beginning.
When Kan tweeted that the announcements bot on Fractal’s Discord server had been hijacked, word spread quickly on Twitter. A second tweet from the official Fractal Twitter account stated that the channel had been used to spread a fake link.
The hack took advantage of customers seeking to mint NFTs, or buy tokens when they are newly created by a project rather than later on the secondary market.
Though the Discord bot’s post was a hoax, Fractal’s actual Twitter account had just hours before hinted about an imminent airdrop: a process in which a crypto project distributes a number of tokens, usually to early adopters. Due to the strong demand for token mints and airdrops, the pressure on users to act quickly when snap announcements are made presents an attack vector that scammers are all too glad to take advantage of.
While the cryptocurrency used to secure cryptocurrencies and NFTs is extremely secure, the large network of websites and applications that make up the broader crypto ecosystem contains numerous attack vectors.
According to a tweet from the official Fractal account, the fake message was sent to Discord using a webhook. Webhooks are a web application design element that allows an application to listen for a message sent to a certain URL and respond with an event, such as publishing to a specific Discord channel.
If a webhook isn’t protected with additional authentication, anyone with the URL can effectively post to the channel. It’s unclear whether the team behind Fractal took any efforts to prevent this from happening.
Fractal declared in a blog post following the attack that victims who had lost money would be completely compensated. While briefly apologising, the blog post also sought to shift some of the responsibility for security on the project’s supporters, saying:
“If something in crypto doesn’t feel right, don’t proceed, even if it appears to be legal at first.” Because there is no ‘undo button’ in cryptography, we must apply our best judgement.”
At the time of publication, Fractal has not responded to a request for comment received through the company’s official contact form.
