This appears to be highly coordinated. From the article, it sounds like their Discord server has a channel (announcements) that should only be writable by admins, but some type of API keys were leaked before (could've been obtained a long time ago) and the attackers held on to it until now to post a phishing link around the time when minting was supposed to open. It seems like the attacker even made a precaution move of DDOS'ing the real web site to make sure people can't go to the real one which adds credibility. This is a pretty high level effort attack.
The weakest link here seems to be that Discord is the trusted source of truth of communication from the project (not unlike emails are the trusted channel to verify identity for individual users on many web services). What's not yet known is whether some Discord-side security is compromised or the project admins had previously been phished/social-engineered to expose their API keys in the past.
The key leak could just as easily be incompetence. Accidentally committed to git, or in their travis setup in such a way as to be easily obtainable, or a bunch of other options.
High effort for high reward like this is not surprising but it could all start with incompetence.
One of the commmentors in the article: "Its important money to my family, my wife, my son." And you were willing to put it on a risky, highly speculative project, even if it wasn't a target for hacking.
This is the ultimate, fundamental problem with the cryptocurrency market. People parrot "only invest what you can afford to lose" and end their moon-promises with "...not financial advice" as if their moon-promises would be worth typing if they sincerely believed that their audience will only invest what they can afford to lose.
Yes, the person who lost their money made a terrible, stupid mistake... but if you spend more than a moment in/around cryptocurrency projects, you will be sucked in to believing that _the old-world financial system is crumbling, the only way to secure your future is by investing everything into cryptocurrency_ and so "only invest what you can afford to lose" has an implied wink, "I'm only saying this because the old-world system will come for me if I don't!"
I feel bad for the wife and kid, but I don't have any sympathy for the person.
"I am always recommending people using burner but I was nervous and fomo the "Monkey Kingdom Mint. Never thought it was not a legit mint link in official discord."
Some people can't learn by theory. They have to learn by practice. FOMO isn't a mistake. That's just greed calling the shots.
The best way to learn how to control FOMO is to experience its consequences. The only question is how much tuition are you willing to pay. He paid a lot.
As the saying goes: Bulls make money. Bears make money. Pigs get slaughtered.
He was willing to put some percentage of the 650SOL into the risky project, we don't know how much he intended to invest/gamble, but it seems doubtful to me that he intended to spend his whole wallet on it.
It is worth also noting that it may not be wise to store your entire life savings in an experimental, possibly illegal alternate currency backed by a permissionless blockchain. Banks may be incompetent at times, but at least you have options. Lessons learned the hard way, but it’s not as if nobody was warning folks.
Solana is the 5th largest blockchain by market cap in the world, has a ton of investors and ongoing development by a lot of talented developers. Just because you haven't heard of it doesn't mean it's not a legitimate project.
HN user comments on a simple phishing website that happens to use a blockchain, as an indictment of all the unrelated wallet developers, all the unrelated protocol developers, and all the unrelated consensus developers just because they never heard of the 5th largest cryptocurrency on the market before.
Surely they would conflate the entire internet infrastructure for any non-blockchain based phishing attack? Stay tuned!
I honestly agree too having worked in enterprise, but see it more as an inevitability as an enterprise product continues to be supported for years and years, as the original talent is churned, and multiple generations of engineers come and go. It's why I don't want to go back into enterprise ever again lol supporting legacy huge overengineered products is rough.
From the article: "The website asked for permission from a Phantom wallet, and it actually drained all SOL from their wallet." It's possible that he didn't spend all his SOL on this project.
To me the craziest thing is that, on the one hand, you have Proof of Work, cryptographic security, public/private keys, the full song and dance.
On the other, you go on some website, click "enter app" and are prompted by a crappy pop-up to authorise the website spending all your money. And if it's Etherium, you have to pay like $50 just for the joy of doing that.
I do work in infosec and even I'm not sure how to make it entirely secure or trustworthy. Steps involved make whole thing rather unpractical. And might need things like pen and paper...
Hopefully he meant it would have been important money if it were cashed out, and he had actually bought it for next to nothing instead of buying it anywhere near what it's worth today.
> Here's hoping this is the peak — it seems to be, from my studies.
Until the Fed gets inflation under control (2-3 quarters, if not more), we'll still see plenty of retail money go into risky speculative instruments. Alchemy just raised a ton of money, OpenSea just raised a ton of money, YGG just raised a ton of money, Nike just acquired RTFKT, Ubisoft is doing gaming skins as NFTs. Why do you think this is the peak?
Because Ubisoft is a joke, and a less garbage version of the technology is imminent, hence Ubisoft's rush to release and capitalise on the only advantage they'd ever have — first mover.
Because zkrollups are going to do what all the speculative coins do while claiming to have been adding value.
The final ⅓ of the technological adoption is here, there can't be as many degens trying to 300x coins if they just don't do that anywhere near as often anymore.
This whole space turned out to be one big joke. It's the wild west of scams, hacks, snake oil salesman, teenage influencers giving "expert" advice on trading, shilling scam coins, NFTs and what not..
I am following this space since 2015 as a bystander when Ethereum was founded. Currently this is the most spectacular shit-show on the planet. Especially now with all the NFT craze, I am seeing more and more celebrities getting sucked into this craze and trying to promote the next big thing.
I wonder when it's all going to pop and who is going to be left holding all the bags?
Too many fools willing to part with their money. This new generation has not experienced enough financial fear to properly manage their financial risks. In additional social media is promoting rich and luxurious life styles, resulting even in those who can not afford to lose, gambling their life savings.
Even at the time, EOS didn't look great. The technicals just weren't there for the protocol. It was joked to be the AWS of blockchains -- ie. essentially centralized, same with Ripple.
It was definitely not the most promising. I would argue that most of blockchain is still in its early infancy. Only very recently has second layer stuff really begun to scale reasonably well. Once Eth 2 comes out and scaleability takes off I think we'll see a huge amount of growth. Right now we're in the 1200 baud dialup phase connecting to a BBS that costs $2 per minute to use. It's not practical yet for 98% of applications. It will be, and I think within 1-2 years.
> teenage influencers giving "expert" advice on trading
But they're no worse than all of the 'analysts' that talk about the regular stock and option market. You could replace the bulk of those people with random number generators and you'd never know. Might even be an improvement.
Turns out the account of a team member of Grape - a provider for wallet verification between SOL and Discord - was compromised[1]. Grape was being used in other Discord servers also. fractal.is is another example with $150k in SOL stolen, but the team already confirmed they will be reimbursing all funds lost apparently. I wouldn't be surprised if there were more instances.
It's funny how every crypto coin and other novel financial trick has an automatic bug bounty tacked on and most of the users aren't even aware of it. The more successful something like this is the higher the probability that if there are any flaws that they will be found.
> The website asked for permission from a Phantom wallet, and it actually drained all SOL from their wallet.
Does anyone else see this as a massive failure on Phantom wallet's part?
That's like my bank, when I pay online using a credit card, asking me to "confirm full access by merchant XYZ to your account" instead of "confirm payment of $50 to merchant XYZ". I mean, DeFi is supposed to be better than legacy institutions, right?!
Phantom by default requests approval before executing transactions, and shows a simulation (e.g. balance changes like this). This can be disabled in the advanced settings (or users can approve transactions without reading the approval popup...).
This is true, but I think that they really should disable approving the transaction prior to the simulation finishing. Because right now, you can simply approve a transaction blindly without letting this complete and seeing the changes in your account balance, which is probably what the people who got their wallet drained did I'd assume, just blindly click purchase because they are in full FOMO mode for their ape NFT.
So these people who lost 100k. Did they really lose 100k or did they lose crypto currency worth 100k, but which they purchased for a lot less?
What is 'minting' anyway?
Edit: I do understand that if you have something worth x you in essence lose x, but there is a big difference between these people buying this stuff for $2 2 years ago or investing $100k right now.
Minting is just essentially purchasing something with a couple of extra steps behind the scene.
What pretty much happens when you are minting an NFT is:
1. The owner of the collection uses a program that controls everything around the NFT sales, like the start date, the price, the order of art that is distributed, the owners of the collection where the funds get transferred, and other settings.
This happens before users can mint.
2. User wants to buy art, they launch a webpage that interacts with the above program. They pay the amount of money that the art is configured to sale for, and the program will process these payments in the order they are received and distribute art based off of the order the art is to be distributed. The above program also has safeguards that prevent users from being charged in the case that the art is out of stock at the time the user attempts to pay for it.
3. The 'minting' process is taking the art that was configured from this program, creating (minting) a token for it, and creating any underlying token accounts that are needed to store the art in the user's wallet, and transferring ownership.
NOTE - there are definitely other ways to distribute NFTs, such as generative art that is created at the time of the transaction based off of the block hash. The above example is how this particular NFT collection was to be distributed, it's a common model used by probably the majority of NFT projects. The actual 'minting' step (#3) is pretty much the same though, the process of creating the token and associating the metadata and transferring ownership.
Yes, or if you bought it for 40K but it burns down when valued at 800K, that loss is still effectively an 800K loss to you. Replacing it will cost the same.
This is not how things work at all. The wood and plaster and glass your house is made of doesn't go up in value, your land (aka deed) does. So if your house burns down, you did not, in fact, lose $800k.
The materials already used in your house may not go up in value, but the value of the raw materials themselves certainly have gone up in value due to 30% inflation or whatever over the past year. Take a look at lumber prices.
In this example I'm sure it wouldn't cost $800k to rebuild the house, but it'd certainly be more than $40k, so it would definitely be a loss.
Lets say I bought a lottery ticket for $10 and my ticket wins and I can go pick up $200 million. On my way to the office of the lottery place I lose the ticket somehow, then I am not out $200 million, I just don't have it anymore, but it isn't as if suddenly I can't lead the same life as before I bought the ticket.
Lets now say that I just bought a huge number of toys for all of my life savings to sell in the holidays and then the uninsured warehouse where I stored them burned down, I actually lose all of my life savings and I have to sell the house, my car, lose the kids, etc.
I am not saying it doesn't suck, I am just trying to discover the context.
At first glance, the "hack" looked to be a pretty basic phishing setup, but it seems like some kind of Discord functionality may have been compromised? That would be a pretty big deal.
This is the thing that stands out most to me here - how did the phisher possibly post in the announcements channel?? This exploit seems like it could have further reaching impacts assuming the announcements channel and server roles / permissions was configured properly. Otherwise this is no different from like almost any other phishing attack since the beginning of time... .
I think a lot of bad actors in the crypto community are going after Discord setups. For instance a recent NPM watering hole attack downloaded a scanner that was looking for Discord related credentials and settings. This article mentions a webhook being compromised.
They are going to "make things right" which sounds like they may refund members that fell for this. Would the 4D chess move be for the hacker to have "stolen" some of their own funds out of a different wallet to make it look like they were a victim? Then they can double dip, and claim the refund as well as walk away with the stolen goods.
They can even begin laundering the money by purchasing the coveted NFTs when the mint is relaunched, and selling them on the marketplaces
(This wont break the link of funds, alone, but at least they will have different money.
Much faster to bridge all the money to Ethereum network, swap it for Ether and deposit it into tornado cash. Launch a new token with already clean money they have from their day job salary, and pump that token with their dirty funds. And just sell the clean tokens into the pump. Now theyre just lucky founder or speculator.)
This is a pretty bad comment, so I'll take the opportunity to mention great trend: web3 means bug bounty programs are finally properly funded, and both webapp, communication, and cold storage security will absolutely flourish because of this.
I think this is exactly what solana needs to get some traction, it's a good PR move because now everybody will know about it and many people will go in because the price will go down temporarily due to the "hacking".
Because this is crypto it gets the eyeballs but really this is just a successful phish. If it was "Wells Fargo users get accounts drained by targeted attack" it wouldn't get 25% of the views.
Really? I could be wrong, but I feel like it would be all over the news if Wells Fargo lost $1.2mil. Do you have examples of it happening and not getting press?
Surely banks lose the same way tons of money for calling scams everywhere, it was good old phising scam + nft insanity greed.
Often the call scams at least where I live make old people to wire their money because they think they talk with a banking clerk. In this case young people thought they were talking with some sort of nft/crypto influencer I guess.
The weakest link here seems to be that Discord is the trusted source of truth of communication from the project (not unlike emails are the trusted channel to verify identity for individual users on many web services). What's not yet known is whether some Discord-side security is compromised or the project admins had previously been phished/social-engineered to expose their API keys in the past.