Several Discord servers, including that of the Bored Ape Yacht Club, have been compromised. Hackers appear to have exploited a recent Ticket Tool Discord bot update to post phishing links across multiple servers.
NFTs Lost Through Discord Hack
A Discord-related security breach has resulted in high-value NFTs being stolen.
The Discord servers of the Bored Ape Yacht Club, Doodles, and several other prominent NFT collections were compromised early Friday morning, leaving the NFT community reeling.
A message appeared in the Bored Ape server at 6:19 UTC informing users of a new “Mutant Ape Kennel Club” collection and posting a fake minting link. Unsuspecting users who clicked the link signed transactions that gave the hacker the right to transfer their NFTs from their wallets. Despite the unfortunate timing, this wasn’t an April Fools’ joke—the hacker had managed to find an exploit in a popular Discord bot to infiltrate servers and post links in restricted channels without the server admin’s permission.
The hacker’s fake Discord post. Source: @cubedmeta
The hacker also posted a similar message in the Doodles Discord server, informing users of a new “genesis mint” with a limited supply. Like the Bored Ape Discord post link used, those who clicked on it and tried to mint would have the NFTs in their wallet transferred out by the hacker.
The official Bored Ape Yacht Club Twitter account quickly informed followers of the attack. “A webhook in our Discord was briefly compromised. We caught it immediately but please know: we are not doing any April Fools stealth mints / airdrops etc,” the post read.
NFT enthusiast and DAPE co-founder SerpentAU initially posted to Twitter that the compromised servers were due to the owner of the widely-used Discord Captcha Bot being hacked, citing “inside information” received from one of the hackers. However, they later confirmed that an exploit with a different Discord bot, Ticket Tool, allowed hackers to infiltrate servers. In response to SerpentAU’s post, the official Ticket Tool Twitter account stated that the update that caused the exploit had since been reverted.
According to the blockchain security firm PeckShield, at least one Bored Ape, one Mutant Ape, and two Doodles NFTs were stolen by the hacker. Transaction data shows that the hacker has since sold or transferred all four NFTs.
Today’s incident is not the first time collectors have lost NFTs and cryptocurrency due to compromised Discord servers. In February, members of the Doodles Discord server fell victim to phishing links when a server bot was hacked, resulting in several members losing their Doodles NFTs.
However, thefts of high-value non-fungibles have not been limited to Discord. Also, in February, a phishing email scam sent to OpenSea users resulted in over $3 million worth of NFTs being stolen from collections such as Bored Ape Yacht Club, Doodles, and Azuki.
As NFTs surge in value, their owners will likely continue to be targeted by scams. Those operating Discord servers will need to take extra precautions to protect their communities from further attacks.