NFTs gaming project $150K worth of crypto from NFT has been hacked. Buyers that are hoping to get a limited-edition NFT from Fractal, a new marketplace for game item NFTs, were given an unpleasant and costly surprise.
This happened on Tuesday morning when it was revealed that a link sent through the project’s official Discord channel was a scam set up to steal crypto.
Users, that followed the link and connected their crypto wallets, expecting to receive an NFT, instead found that their holdings of Solana (SOL) cryptocurrency were emptied and then transferred to the scammer’s account.
NFTs Gaming Project $150k Worth of Crypto from NFT Hacked
According to the verge, an analysis posted on Medium by Tim Cotten, founder of another NFT gaming project, estimated the value of SOL stolen to be about $150,000.
Fractal is a startup project from Twitch co-founders Justin Kan that specializes in the buying and selling of NFTs representing in-game assets.
It was earlier announced in December and quickly accumulated more than 100,000 users through Discord making it a target for the kind of scammers that have plagued NFT projects since the beginning.
News reached Twitter when a tweet from Kan informed the followers that the announcements bot on Fractal’s Discord server had been hacked. Another tweet from the Twitter account confirmed that a fraudulent link had been posted through the channel.
The Attack took Advantage of Users Hoping to Mint NFTs
The attack was able to advantage of users hoping to mint NFTs, the term given to obtaining tokens at the moment when they are first created by a given project, rather than buying them on the secondary market at a later date.
Although the post from the Discord bot was fake, Fractal’s official Twitter account had been said to post a tweet just hours earlier cueing at an upcoming airdrop: a process where a crypto project distributes a number of tokens, usually to users who are early adopters.
Since demand for token mints and airdrops is sometimes very high, the pressure for users to move fast when snap announcements are made creates an attack vector that these scammers are all too happy to exploit.
Cryptography Behind Cryptocurrencies and NFTs Is Highly Secure
Though the cryptography behind cryptocurrencies and NFTs is said to be highly secure, the vast network of websites and applications that include the broader crypto ecosystem contains many possible vectors for attack.
A tweet from the official Fractal account hinted that the fraudulent message had been posted to Discord through a webhook.
Webhooks are a feature of web application design that allows an application to listen for a message sent to a particular URL and trigger an event in reaction, for example, posting to a certain Discord channel.
If the webhook is not secured with additional verification measures, efficiently any person with the URL is able to post to the channel. It is not too clear what or if any, precautions were taken by the team behind Fractal to prevent this from happening.
Victims to be Compensated
Due to the hack, a blog post from Fractal announced that its victims who had lost money should be fully compensated. Even while apologizing briefly, the blog post also appeared to put some of the onus for the security onto followers of the project, saying:
“If something does not seem right in crypto, please don’t continue, even if at first it looks legitimate. We must use our best judgment as there’s no ‘undo button’ in crypto.”
Fractal is yet to respond to a request for comment sent through the company’s official contact form at the time of press.