A recently launched NFT project called “Rare Bears” has fallen victim to a sophisticated phishing attack, resulting in the theft of nearly $800,000 worth of digital assets after a hacker infiltrated the project’s Discord server.
The Scale of the Theft
Blockchain security firm Rezzonnaire Technology analyzed the attack and found that the hacker successfully stole 179 NFTs in total. The stolen collection included Rare Bears NFTs as well as assets from several other high-profile collections, including CloneX, Azuki, a “mfer” piece from artist Sartoshi, and six LAND tokens from The Sandbox metaverse. After selling the majority of the stolen NFTs, the attacker walked away with 286 Ether (ETH), valued at over $795,500. Most of these funds were quickly funneled through Tornado Cash, a cryptocurrency mixer designed to obscure the origin of transactions.
How the Attack Unfolded?
According to a post-incident update from the Rare Bears team, the attacker first compromised the Discord account of a project moderator named Zhodan. The hacker used this account to post a phishing link intended to empty victims’ cryptocurrency wallets, along with a false notice saying that a new NFT mint was underway.
To maximise its impact and restrict the team’s ability to react, the attack was carefully planned. The attacker exploited the compromised account to prohibit and remove other server members’ roles after posting the malicious link, making it impossible for them to remove the post or alert others. After that, the hacker used a bot to block all server channels, preventing any public conversation that may have warned users about the scam.
The Aftermath and Security Response
Eventually, the Rare Bears team managed to take back control of the server, deleting the hacked account and assigning ownership to a new one. Since then, the team has deemed the server secure and engaged Pandez, a security consultant and auditor, to perform a thorough security audit of its Discord infrastructure.
How to Spot a Discord Phishing Scam?
Speaking with Cointelegraph, Rezzonnaire Technology offered several warning signs that users should watch out for:
- Stealth mints: Legitimate, serious NFT projects almost never announce surprise mints without prior notice. Any such announcement should be treated with suspicion.
- Locked channels during a drop: If a server’s channels are suddenly locked during a new NFT release, this is a major red flag.
- Mismatched links: Make sure that any shared links are consistent with official sources, including the project’s Twitter account. Do not click if the links are different.
- Repetitive posting: A phishing link that is frequently reposted in a channel is a clear sign that a scam is underway.
A Growing Pattern of Discord Attacks
The Rare Bears incident is far from an isolated case. In December, Solana-based NFT project Monkey Kingdom suffered a $1.3 million loss after hackers breached its Discord server and posted a wallet-draining phishing link. Before that, in November, the Discord community of renowned NFT artist Beeple was also targeted, with attackers gaining access to a moderator’s account and using it to post a similar phishing link that siphoned funds from unsuspecting users.
Stronger security measures are urgently needed, especially around administrator and moderator accounts, since the series of attacks reveals a growing vulnerability within NFT communities that mainly rely on Discord for communication.