Discord server of major NFT community turned out to be hacked via BOT

Bored Ape Yacht Club (BAYC) , a collection community that provides monkey icons with non-fungible tokens (NFT), hacked BAYC's official Discord server on April 1, 2022, and maliciously aimed at phishing attacks . Announced that a link has been posted. It has also been found that similar links have been posted on Discord servers in other NFT communities.

BAYC Says Discord Briefly Compromised, Tells Users to Avoid Discord for Minting APE NFTs
https://www.coindesk.com/tech/2022/04/01/bayc-says-discord-briefly-compromised-tells-users-to-avoid-discord-for-minting-ape-nfts/

Bored Ape Yacht Club, Other Major NFT Project Discords Hacked by Scammers
https://www.vice.com/en/article/n7nywg/bored-ape-yacht-club-other-major-nft-project-discords-hacked-by-scammers

According to security researcher Serpent , BAYC's Discord server has a link prompting them to 'create an April Fool's Day limited NFT.' Clicking on this link could lead to malicious scripts that steal users' NFTs and wallet information, Serpent said.

THIS IS 100% CONFIRMED. AUDIT LOG FROM DOODLES & SHAMANZS

???? TICKET TOOL IS HACKED ????

REMOVE IT FROM YOUR SERVER. Pic.twitter.com/KKHn5RHCVL

— Serpent (@SerpentAU) April 1, 2022

There are already reports that BAYC's NFTs and virtual currencies have been stolen, and it has been confirmed that about 20 ETH of Ethereum has moved from the damaged wallet.

Serpent claims that a phishing attack was carried out by hacking the Discord BOT ' Ticket Tool ' that manages push notifications and inquiry response. The official Twitter account for Ticket Tool, on the other hand, said, 'A recent update to the add command had a bug that allowed some kind of permission abuse. I'm going to find out exactly what happened. The BOT itself has some very disappointing bugs, but it's not at risk. '

A recent update I made to the add command had a bug allowing for some type of permission exploit ..

I've reverted the update to the previous uncompromised version and will be looking into exactly how this happened.

The bot itself is not compromised beyond a very unfortunate bug.

— Ticket Tool (@Ticket_Tool) April 1, 2022

BAYC's official Twitter account said, 'Be careful. Do not create or publish a new NFT from Discord now. Our Discord webhook was temporarily compromised. We immediately grasped the situation. However, please note that we do not create or distribute NFTs as April Fool's Day. Other Discords are also under attack. '

STAY SAFE. Do not mint anything from any Discord right now. A webhook in our Discord was briefly compromised. We caught it immediately but please know: we are not doing any April Fools stealth mints / airdrops etc. Other Discords are also being attacked right now.

— Bored Ape Yacht Club (@BoredApeYC) April 1, 2022

In addition, posting of phishing attack messages was confirmed on the Discord channel of the NFT community that also uses the Ticket Tool, such as Doodles, Shamanzs, and Nyoki.

Shamanzs Discord hacked too.

Funds are being directed here: https://t.co/Mrvec92UEV pic.twitter.com/I2wAk2I2lp

— Zachxbt (@zachxbt) April 1, 2022

Along with blue-chip projects like BAYC, and Doodles, our server was also compromised today due to a recent large-scale hack.

We have taken everything under control in less than 30 minutes.

— Nyoki Club (@nyokiclub) April 1, 2022

As a result, the price of BAYC's cryptocurrency ' ApeCoin ' fell 8.3% in 24 hours.