On 20 October 2021, one of the most high-profile hacks in recent times took place against the CreatureToadz NFT project, sending the entire CreatureToadz community into disarray.
What was novel about the hack was that it was less an exploit of the protocol or a social engineering ploy that had been set-up to deceive users. Rather, the hacker managed to gain access to the CreatureToadz Discord server and posted a fraudulent link in the official channel, asking community members to begin minting the NFTs as part of a ‘stealth mint’ process.
Given that the hack took place on the official Discord, which has been generally cherished by NFT communities as a pillar of trust, the events caught the developers off-guard and by surprise.
Moreover, the significant FOMO of the community in relation to the NFTs drove many to visit the site to begin the minting process, as they were under the impression that this was an official link.
In a swift turn of events, a total of 88 ETH, spanning 580 transactions, was sent to the hacker’s address over 45 minutes, which sparked outrage, fury, and confusion amongst the entire CreatureToadz community, which was only beginning to grapple with the situation.
The moderators of the Discord channel were also thrown into a frenzy, as what was “official” or not became the subject of grave uncertainty. Later, the CreatureToadz team formally issued a Twitter announcement to state that they had regained full control of the Discord, and pledged to compensate all users who had been defrauded.
As a post-mortem inquiry was launched, the CreatureToadz team realized that one of the moderators in the official Discord had his account compromised, which ultimately enabled the hacker to infiltrate the Discord server to conduct his attack.
To add insult to injury, the hacker updated the fake CreatureToadz mint website, and included the following line to continue misleading the community.
As the events were unfolding in real-time, NFT investor and writer Andrew Wang hosted a live post-hack Twitter Spaces discussion which enabled the CreatureToadz community members to communicate their concerns, as well as to provide real-time updates on the situation.
Simultaneously, the developers and community members begin tracking down the identity of the hacker, looking through the paper trial of transactions that had been left by the hacker in the wallet address that received funds from the fake NFT minting contract.
An anonymous NFT analyst, OKHotshot, assisted the CreatureToadz team to track down the hacker — and managed to link the hacker’s address to a Twitter account with the username HEERR.
As the live updates were provided to the community, it became apparent that the hacker was actually tuning in ‘live’ to the Twitter Spaces discussion, which led the team to call him out to return the funds that had been taken from users.
The hacker responds…and returns funds
In another turn of events, upon finding out that his identity could be compromised, the hacker claimed on the Twitter Spaces discussion that he was a 17-year old high school male student, and that the attack was merely a joke. He also pledged to return the funds to the community.
Shortly after the conclusion of the discussion, the hacker reached out to the CreatureToadz team on Discord to return the funds, and promptly sent back the full sum to the team.
The team subsequently refunded all users who had been affected by the exploit, which brought a close to the rapidly escalating saga that shocked the entire NFT community.
Despite the “happy ending” to the CreatureToadz saga, the incident has raised serious questions about the security of Discord communities.
Following the exploit, the majority of NFT communities issued updates on their official Discord servers, urging users to be extra careful of any unusual announcements that were not in line with the team’s previous communications
How can we keep safe in the Wild West?
With the general exuberance and excitement in the NFT space, security is one area that has often been overlooked by users. As more capital flows into the space, NFT projects will increasingly become targets of scammers and hackers, particularly since many new users are still learning and getting to grips with the functionality of Web 3.0.
As a rule of thumb, we recommend the following principles to keep yourself as safe as possible when you explore the wild, wild west of decentralized applications:
1. Never, ever, reveal your wallet seed phrase, and store it offline!
One of the cardinal rules is to never reveal your seed phrase to anyone. There is no situation where any moderator or community member would ask for your seed phrase, as this is not necessary to conduct any transactions.
Users should also store their seed phrase offline rather than in a note on their computers or mobile phones, given that these could be exploited as well.
2. Avoid clicking on any links that are sent to you via Direct Messages
Users should be extremely wary of any direct messages sent to them by other users claiming to offer early access or freebies simply by clicking a link. It is extremely unlikely (almost never happens) that the teams involved in particular projects will reach out to you directly with such offers.
One simple way to avoid these situations is to turn off the function of Direct Messages in your Discord account. This is one of the most recommended actions one can take to avoid accidentally clicking on links.
3. Read and follow past discussions to ensure that there is nothing unusual or out of the blue in new announcements
The CreatureToadz exploit has shown that even formal, official channels can be attacked.
In this sense, it is important to follow past announcements as well as note down any details that a particular project has provided in terms of milestones and dates. This help you to understand if a sudden announcement or post may potentially be a hack or exploit. If in doubt, always err on the side of caution.
4. Always check and double-check links and contract / token addresses to ensure you are interacting with the correct smart contracts
Teams will usually post a set of formal addresses and links in an announcement or dedicated ‘links’ page so that community members are able to check if they are interacting with the official contracts and tokens. Before interacting with any protocol or smart contract, always double-check the link / address to ensure that you are not on a fraudulent page.
5. Set up separate hot wallets to interact with potentially riskier protocols
In the event that you are unsure of whether a protocol is secure, one of the best ways to protect your assets is to set up a separate wallet for the sole purpose of interacting with a particular smart contract. Only transfer what you need into the new wallet to interact with the contract – this isolates the exposure you will have in case things go wrong!
Featured Image Credit: