A hacker, apparently 17-years-old, gained control of the CreatureToadz Discord server this week and scammed members out of 88 ETH or about $300,000. Then, during a community-led discussion for victims that he was eavesdropping on, he had a change of heart and returned all the money to the project. They have since returned it to all the individuals affected.
Why it matters
The hack is yet another reminder to be careful with our crypto but it also shows how quickly online communities can form and work for the greater good. Within about an hour, the CreatureToadz and broader Twitter NFT community had identified the scammer and reached out to him on Twitter.
- The scammer used a combination of social engineering late at night and Discord API developer knowledge.
- The CreatureToadz team said on Twitter “One of the moderators got compromised. We trusted him, he’s a moderator in many Discord servers. And, as a new community, we needed help.”
- Not all hacks are carried out with just technical skills. Despite all the warnings and security systems, it is still remarkably easy to carry out an attack such as this
What happened
- The scammer took control of the official Creature Toadz Discord channel for 45 minutes and used the webhooks feature to automate posts. He could then post messages as an admin promoting a fictitious ‘secret’ minting on an external website. The victims willingly sent their Ether to the scammer’s account in 580 transactions.
- The scammer then joined a Twitter spaces discussion hosted by NFT writer Andrew Wang and publicly admitted what he had done but only after he was called out on it. User OKHotShot had been able to use on-chain analytics to trace the transactions back to a specific Twitter account. The scammer also then claimed to be only 17 years old.
- After a change of heart, or perhaps after realizing he had been identified, he returned all the 87.7 Eth to the project organizers who have now returned everything to the victims plus the gas fees they incurred.
What’s next
This attack was only possible because the systems and user interfaces we rely on in crypto are not nearly mature or sophisticated enough to protect us. OKHotShot said, “The Webhook exploit is too simple to do and costs less than 250 usd. It’s not going anywhere until EVERY #nft discord server changes their security settings”. According to OKHotShot, during the Twitter spaces discussion, the CreatureToadz creator said they would not press charges. The real CreatureToadz minting has since taken place with 8,888 NFTs sold.
