Bears that are extremely rare A phishing assault on Discord netted $800,000 in NFTs.

The account of a moderator from the non-fungible token project was compromised in the attack, posting a phishing link that drained user wallets.

Recently launched NFT project, Rare Bears, was hit with an attack, after a hacker posted a phishing link in the project’s Discord channel, stealing nearly $800,000 in NFTs.

Analysis from blockchain security firm Peckshield detailed that the attacker was able to steal 179 NFTs, including Rare Bears and other NFTs from various collections, including CloneX, Azuki, a “mfer” from artist sartoshi, and 6 LAND tokens used for The Sandbox metaverse.

According to on-chain analysis, most of the NFTs were sold, netting the hacker 286 ETH, worth over $795,500, most of which was promptly put through Tornado Cash, a crypto mixer used to obfuscate the source of funds.

A slate of similar phishing scams have occurred in recent months on Discord, suggesting some teams need to more carefully consider the security on admin accounts. Earlier today, the Rare Bears team posted that they had hired security consultant and auditor “Pandez” for a full security audit of its Discord.

How the attack happened

According to an update posted by the Rare Bears team, the hacker gained access to the account of a Rare Bears Discord moderator known as “Zhodan”, posting an announcement within the group’s channel that a new mint of NFTs was taking place.

It was a fake of course — a phishing link designed to steal funds from a users’ wallet.

🚨 Warning 🚨@BearsRare
Discord has unfortunately been compromised. Please DO NOT click any links, connect your wallet and block all incoming DMs in our discord. Our team are working on the situation as we speak 🙏🏼

— Rare Bears (@BearsRare) March 17, 2022

The update from the security audit found that the head of the project’s Discord account was compromised. The attacker, using the compromised account, then banned other members, or removed their roles from the server, thereby removing their ability to delete the posted phishing link.

The attacker then invited a bot which locked all channels on the server, removing the ability for others to publicly communicate that the posts and links were fake.

Rare Bears said the team was able to regain control of the server, removing the compromised account and transferring ownership to a new one, and that the server is secure from another attack.