We have seen a huge increase in NFT phishing hacks this year with prominent examples being the two attacks on Bored Ape Yacht Club and Beeple. Whilst these are prominent examples, NFT phishing scams, particularly through compromised Discord accounts happen almost daily. We have been logging these events, and can confirm that at least 30 phishing hacks are connected. These includes the BAYC Discord hack and the Beeple Twitter hack with total profits over $1.3m.
We have seen many Discord hacks that follow a similar modus operandi, whereby a compromised account or an imitation account posts a phishing link in the announcement section of a project's Discord server. We have discovered that some of the high-profile Discord hacks are connected to the same threat actor and include Bored Ape Yacht Club, TastiesNFT, Hypno Duckz, HomelessFrens and the Beeple Twitter hack to name a few. In total, we have identified at least 30 incidents that are provably linked via the blockchain.
Let’s remind ourselves of how the BAYC attack took place. On 4th June, 2022 community manager Boris Vagner’s Discord account was compromised, leading to the posting of a carbon copy of Bored Ape Yacht Club's website. In total, ~179.9 ETH (equating to ~$319k) was stolen in the attack. As we reported in our initial analysis of the incident, stolen funds were sent to EOA: eth 0xd869 and EOA: eth 0x3FF5 which were deposited into Tornado Cash.
Unfortunately, we run into a dead end with 0x3FF5, however upon looking at the previous transactions in 0xd869, we find some interesting links between this wallet and other phishing attacks. Let's start with the first significant transactions with this wallet that occurred on 7th May 2022.
As we can see, ~17 ETH is transferred into 0xd869 from three different EOAs. When we follow the funds we observe some suspicious activity. For example, EOA:eth 0x1612 transfers nearly 12 ETH into 0xd869. When we observe the route of those funds, we come across a probable Discord Phishing attack from two addresses on 07 May 2022:
Lets quickly explore why we come to the assessment that these two EOA’s have highly likely been involved in phishing attacks. When we look into the activity of suspected phishing attacks, they all follow a similar pattern. This includes a large influx of NFTs and a quick sell off as well as little to no activity before the transfer of NFTs. Below is a good example from one of the wallets connected to 0xd869.
We can see how suspicious this activity is. A large influx of NFTs in quick succession, followed by the quick selling is far from the usual behavior of a typical trader.
We recorded that Ape Dads had their Discord servers compromised on 07 May 2022. We can see that two transactions into 0xd869 occurred on the 7th May 2022 with the above patterns. Therefore, we likely have our first connection to the BAYC Discord attacker.
In addition, we can see multiple examples of probable phishing attacks going into the 0xd869. For example on 11th May 2022, ~5 ETH was transferred from 0x4366 which shows the same suspicious inflow / outflow of NFTs.
With the first NFT being transferred to 0x4366 at 03:56 AM +UTC, it is likely that this wallet is associated with the Droids Capital phishing attack which @CertiKAlerts notified the community at 04:15 AM +UTC.
In total, we have seen that at least 30 phishing attacks are linked to 0xd869, the wallet where the majority of the stolen funds from the Bored Ape Yacht Club phishing attack were sent to. We have seen suspicious connected activity that goes back to early May and all the way through to June.
We have also seen a direct connection between 0xd869 and the phishing attack on Beeple’s Twitter account. On 22 May 2022, Beeple’s Twitter account was compromised leading to two phishing sites being posted on his handle. The first phishing site was linked to a malicious contract created by EOA: eth 0xF305 and the second site linked to EOA: eth 0xcad7. Based off the funds that were deposited into Tornado Cash, $459,308 was stolen in the attack. With the BAYC phishing exploit netting ~$319k, the total profits for one threat actor is ~$778k for just two attacks.
We can see a direct link between 0xd869 (BAYC Associated) and 0xcad7 which was linked to the second phishing site posted on Beeple’s Twitter. The first transaction that is recorded within 0xcad7 is an incoming txn from 0xd869 for a small fee of $120.85. The purpose of these funds are likely to pay gas fees when the attacker starts to transfer the stolen assets out of their wallet.
Additionally, another incoming transaction is received from 0xd896 at 11:55 AM +UTC for an additional $182.93. Again, it is likely that these funds were used to pay gas fees as stolen assets get transferred out.
We can also see a direct link between EOA 0xd896 and another wallet associated in the Beeple Twitter hack. 0xd896 transfers a small amount of ETH to EOA 0x4e90 on 22 May 14:03 UTC. This was one of the wallets that 0xcad7 transferred valuable NFT’s to before selling for a profit. The profits from the attack are then aggregated in Fake_Phishing5744 before being deposited into Tornado Cash.
Furthermore, we can see a similar layout of the phishing site associated with 0xcad7 and other phishing attacks. For example, with the HomelessFrens NFT phishing attack.
The only difference between the two phishing sites is the blurred background, everything else about the site is the same. In addition, we know that the wallet that was connected to the HomelessFrens phishing site, 0xAfF3…, was funded by 0xd869.
We see this layout constantly when we’re investigating NFT Discord hacks and we suspect that they are all linked.
In our initial analysis of the Bored Ape Yacht Club phishing attack we assessed that the stolen funds made their way to 0x5bC1, and we have found more evidence of this. When we look at the wallets that transferred funds into 0x5bC1 we find connections back to 0xd869. For example the first transaction into 0xd896 was from 0xab1b.
On 04 May 2022 0xab1b received three NFTs from a likely phishing attack for the wallet to aggregate and sell.
When we look at the transaction history of 0xf472, we see that the wallet redeemed 25 ETH from Tornado Cash and sent 24 ETH to 0x6073, which then sends the funds to 0x5bC1.
In addition, funds from 0x6073 also fund the wallet that was responsible for the Hypno Duckz Discord hack on 1 May. Those funds ultimately made their way to 0x5bC1.
What this shows is another route to 0x5bC1 from the Bored Ape Yacht Club Discord hack which further confirms that this is where the location of stolen funds were sent. From there, the funds were sent to an EOA with the ENS domain name ‘wealthyindividual.eth’ who deposits 883 ETH into Tornado Cash. This simplified diagram further shows the connection:
We have demonstrated how the Bored Ape Yacht Club Discord hack is related to many other NFT social engineering hacks which we can prove with on-chain data. However, it is noted that the Bored Ape Yacht Club Discord hack followed a different modus operandi to other connected hacks. For BAYC, the phishing site was more sophisticated and was made to look as close to the legitimate site as possible, whereas a standard template was used for the other attacks, including the Beeple Twitter hack. The question naturally arises, why was this the case?
There are a three possibilities:
Also, are there other Discord hacks that are associated with this threat actor? It is almost certain that there are.
By meticulously documenting the connected Discord hacks to BAYC, we can confirm that this single threat actor is responsible for over $1.3m being stolen since May 2022. However, there are almost certainly more phishing hacks connected to this threat actor. The NFT community can protect themselves from this illicit activity by practicing caution on random “free” mint announcements in Discord servers. Always double check to make sure that you are clicking on a legitimate site.