



Buyers hoping to get a limited edition NFT from Fractal, the new marketplace for gaming item NFTs, will steal the code on Tuesday morning with a link sent over the project’s official Discord channel.

Users who follow the link and connect the cryptocurrency in the hope of receiving an NFT will instead notice that their Solana (SOL) cryptocurrency holdings have been emptied and transferred to the fraudster’s account. An analysis posted on Medium by Tim Cotten, the founder of another NFT gaming project, estimates that the stolen SOL is worth about $ 150,000.

Fractal is a startup project by Justin Kan, co-founder of Twitch, who specializes in buying and selling NFTs that represent in-game assets. Announced in early December, it quickly attracted over 100,000 users through Discord and was the target of the kind of scammers who have plagued NFT projects from the beginning.

The news arrived on Twitter when a tweet from Kan informed followers that the announcement bot on the Fractals Discord server had been hacked. Another tweet from the main fractal Twitter account confirmed that a malicious link was posted through the channel.

An announcement bot about @fractalwagmi’s discord has been hacked. Do not go to any URL and do not connect your wallet / mint.

Justin Kan (@justinkan) December 21, 2021

This attack targets users who want to create an NFT, the term given to buy tokens when they were first created by a particular project, rather than buying tokens in the secondary market at a later date. I used it.

The post from the Discord bot was fake, but Fractals’ official Twitter account posted a tweet suggesting the next airdrop a few hours ago. Cryptographic projects are the process of distributing large numbers of tokens, usually early adopters. Demand for token mint and airdrops is often very high, so the pressure of users moving fast when snap announcements are made creates attack vectors that scammers are very pleased to exploit.

Cryptocurrencies and the encryption behind NFTs are very secure, but the vast network of websites and applications that make up the broader crypto ecosystem contains many potential attacks. increase.

Tweets from official fractal accounts suggest that fraudulent messages were posted to Discord via a webhook. Webhooks are a web application design feature that allows an application to listen for messages sent to a particular URL and trigger an event in response, such as posting to a particular Discord channel.

Virtually anyone with a URL can post to the channel if the webhook isn’t protected by additional authentication methods. It is not clear what precautions the team behind the fractals have taken to prevent this from happening.

In the wake of the hack, a blog post from Fractal announced that victims who lost money would be fully compensated. While briefly apologizing, the blog post also seemed to impose some of the security responsibilities on the project’s followers:

If you feel something is wrong with the cipher, don’t move on, even if it looks legitimate at first. Cryptography doesn’t have a undo button, so you need to make the best decision.

Fractals were not responding to requests for comments sent via the company’s official contact form at the time of the press.

