Despite billions in VC investment, many web3 crypto platforms are still pretty hostile places for users new to the crypto world.
Case in point, today Justin Kan's NFT platform Fractal suffered a security breach when a scammer hacked the announcement bot for the startup's Discord which sent out a fraudulent link to the platform's more than 100,000 users, urging them to pay up for a new NFT. The message promised users access to 3,333 commemorative NFTs designed to celebrate the platform's success, but the link was faked with a URL for fractal.is that swapped an "i" for the "l", taking users to a minting site where funds were taken and they earned nothing in return.
Their actual Discord Bot was hacked encouraging people to mint 3333 NFTs for 1 Solana (worth $177 each).
But the link is to Fractai, not Fractal... 3294 just lost nearly $600,000 combined. pic.twitter.com/mnSaa0wOnp
— Zach Bussey (@zachbussey) December 21, 2021
All said, it looks like the scammer actually made off with about $150K. The hack took place before the startup ever even launched its platform, which was scheduled to debut this week. The startup, which is backed by Kan's GOAT Capital fund, has already pledged to pay back users, tweeting that "If you lost your Sol - we will reimburse you. We will announce further updates soon."
These attacks aren't particularly unusual, incidentally; another Solana-based project called Monkey Kingdom was hacked just hours earlier for more than $1.3 million worth of the cryptocurrency. Both attacks taking place over Discord suggests that the chat platform also has some work to do when it comes to authenticating users.
Update: In a Medium post Tuesday afternoon, Fractal confirmed that 373 users fell victim to the scam, but noted that they will be fully compensated by the platform in the next few days. Grape Protocol, a Solana-based tools platform confirmed that one of its admins was hacked which was likely used to exploit both Fractal and Monkey Kingdom today.
We've just discovered that one of our setup admins got hacked 7 days ago
The hackers are using an exploit involving Discord webhooks
Everyone should check their webhooks immediately
We'll update as we learn more pic.twitter.com/4iGskOnwmw
— Grape Protocol (@grapeprotocol) December 21, 2021
Fractal seemed to be aware that such an attack, which has already plagued a host of other NFT-centric Discord projects, was possible, if not likely. On Friday, the team set up an "anti-scam" channel in their Discord for users to flag bad actors, with a team member noting that Fractal "will NEVER ask for you to send funds to any address, and there's NO google form to fill out," and furthermore that users should "double check spelling of any links you see."
While Fractal's team seemed to be looking to coach their users in the right direction, the broader issue is that the underlying incentive structure of the NFT market tends to discourage users from engaging skeptically because drops sell out so quickly and there's a culture of seizing on any and every opportunity, which can be dangerous for less seasoned crypto buyers.
working on one of SOL's biggest airdrops rn
— fractal ❄️ (@fractalwagmi) December 15, 2021