Illustration by Alex Castro / The Verge
Buyers hoping to get a limited-edition NFT from Fractal, a new marketplace for game item NFTs, were given an unpleasant and costly surprise on Tuesday morning when it was revealed that a link sent through the project’s official Discord channel was a scam set up to steal crypto.
Users who followed the link and connected their crypto wallets, expecting to receive an NFT, instead found that their holdings of Solana (SOL) cryptocurrency were emptied and transferred to the scammer’s account. An analysis posted on Medium by Tim Cotten, founder of another NFT gaming project, estimated the value of SOL stolen to be around $150,000.
Fractal is a startup project from Twitch co-founder Justin Kan specializing in the buying and selling of NFTs representing in-game assets. It was announced earlier in December and quickly amassed a following of more than 100,000 users through Discord — making it a target for the kind of scammers that have plagued NFT projects since the beginning.
News reached Twitter when a tweet from Kan informed followers that the announcements bot on Fractal’s Discord server had been hacked. Another tweet from the main Fractal Twitter account confirmed that a fraudulent link had been posted through the channel.
The announcements bot on our @fractalwagmi discord was hacked. Do not go to any url and connect your wallet / mint anything.
— Justin Kan ❄️ (@justinkan) December 21, 2021
The attack took advantage of users hoping to mint NFTs, the term given to buying tokens at the moment when they are first created by a given project, rather than buying them on the secondary market at a later date.
Though the post from the Discord bot was fake, Fractal’s official Twitter account had posted a tweet just hours earlier hinting at an upcoming airdrop: a process where a crypto project distributes a number of tokens, usually to users who are early adopters. Since demand for token mints and airdrops is often very high, the pressure for users to move fast when snap announcements are made creates an attack vector that scammers are all too happy to exploit.
While the cryptography behind cryptocurrencies and NFTs is highly secure, the vast network of websites and applications that comprise the broader crypto ecosystem contains many possible vectors for attack.
A tweet from the official Fractal account suggested that the fraudulent message had been posted to Discord via a webhook. Webhooks are a feature of web application design that lets an application listen for a message sent to a particular URL and trigger an event in response — for example, posting to a certain Discord channel.
If a webhook is not secured with additional authentication measures, effectively anyone with the URL is able to post to the channel. It is not clear what, if any, precautions were taken by the team behind Fractal to prevent this from happening.
In the wake of the hack, a blog post from Fractal announced that victims who had lost money would be fully compensated. While apologizing briefly, the blog post also appeared to put some of the onus for security onto followers of the project, saying:
“If something doesn’t feel right in crypto, please don’t proceed, even if at first it looks legitimate. We must use our best judgement as there’s no ‘undo button’ in crypto.”
Fractal had not responded to a request for comment sent through the company’s official contact form at time of press.