Illustration by Alex Castro / The Verge
When a pop-cultural icon like Ozzy Osbourne announces an NFT collection, you can count on the project getting publicity. The launch of the “CryptoBatz” collection, a series of 9,666 digital bats, received coverage in outlets like Billboard, Rolling Stone, NME, Hypebeast, and Business Insider, among others.
But just two days after the tokens were minted, supporters are being targeted by a phishing scam that drains cryptocurrency from their wallets, playing off a bad link shared by the project’s official Twitter account.
Like the majority of NFT projects, CryptoBatz uses Discord as a place to organize its community. The official CryptoBatz Discord is now accessed through the short link discord.gg/cryptobatz. But previously, the project used a slightly different vanity URL at discord.gg/cryptobatznft.
When the project switched to the new URL, scammers set up a fake Discord server at the old one. But neither CryptoBatz nor Ozzy Osbourne took the precaution of deleting tweets referencing the previous URL, meaning that old tweets from Osbourne himself were left directing followers to a server now controlled by scammers.
One tweet from CryptoBatz, posted on December 31st, 2021, received more than 4,000 retweets and hundreds of replies. The tweet was only removed on January 21st after CryptoBatz was contacted by The Verge.
On clicking the scam link, the invite panel for the fake Discord showed the total number of members as 1,330, an indication of the number of people who could potentially have been fooled by the scam.
Inside the server, a bot spoofing community management service Collab Land asked users to verify their crypto assets to participate in the server — but directed users to a phishing site where they were prompted to connect their cryptocurrency wallets.
A representative of Collab Land declined to comment.
Tim Silman, a nonprofit employee, is one person who lost money through the scam. Silman estimates that around $300–400 in ETH was drained from his wallet after he visited the fake Discord server through a link posted on the CryptoBatz website.
“I’ve seen at least a dozen people on Twitter voicing this same issue,” Silman told The Verge. “If you look at the transactions on Etherscan, others lost a lot more than me.”
An Ethereum wallet address Silman indicated was linked to the scammers had received a series of incoming transactions totaling 14.6 ETH ($40,895) on January 20th and sent it onwards to a wallet containing more than $150,000.
The project had been slow to remove the bad links, even when informed, Silman said.
“I tagged them a few times in various tweets, as have a few other people, but no response,” he said. “This is an expensive lesson, I suppose.”
Even as the fake link remained present in a prominent tweet, the CryptoBatz project continued to hype the public token mint. As of January 21st, CryptoBatz NFTs were being resold on OpenSea for around 1.8 ETH ($5,046).
Asked whether the project should accept responsibility for leaving the old link online, Sutter Systems, developers of the CryptoBatz NFT, laid blame for the scam squarely with Discord. In an email statement to The Verge, Sutter Systems co-founder “Jepeggi” emphasized that the compromise was only possible because of the easy setup and maintenance of the scam Discord instance.
“Although we feel very sorry for the people that have fallen prey to these scams, we cannot take responsibility for the actions of scammers exploiting Discord — a platform that we have absolutely no control over,” Jepeggi said. “In our opinion this situation and hundreds of others that have taken place across other projects in the NFT space could have easily been prevented if Discord just had a better response/support/fraud team in place to help big projects like ours.”
Discord said that it was aware of the incident and in contact with the affected team.
“Our Trust & Safety team is in touch with the server owners and are investigating the incident,” said Peter Day, senior manager for corporate communications at Discord. “Our team takes action when we become aware of attacks like this one, including banning users and shutting down servers.”