The Heart Project Discord Hack: Difference between revisions

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' and 'General Prevention' sections to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

The Heart Project

Just days after creating a humourous "you got rugged" campaign, giving away rugs to different users, many users had their hearts stolen by hackers. The Heart Project discord was attacked, and malicious links were used to trick users into granting access to their NFTs, which the attacker then resold.

This is a global/international case not involving a specific country. ^{[1][2][3][4][5][6][7][8][9][10][11][12][13]}

About The Heart Project

"The Heart Project isreleasing a collection of 10,000 NFT’s living on the blockchain as collectibles." "The Heart Project is a community-run creative studio which enables passionate lovers of creativity to shape the art we interact with. 10,000 unique tokens on the Ethereum-based blockchain will serve as membership passes which grant access to creative contribution and shared ownership of our group creations. The Heart Project Creative Studio is designed to produce media with thousands of contributors on every project and grants ownership of our shared creations."

"The “Heart” character has 235 unique attributes which have been plugged into a computer generated AI with the possibility of creating over a trillion different combinations."

"Each Heart NFT is one of a kind based on its combination of characteristics." "When you are verified as a heart owner, you will gain membership access to our collaborative portal in our discord. This will allow you to decide on & define the creation of all Heart Project endeavors. We will begin with a music video, a clothing capsule, a game, and an album - but soon the community will take control of what comes next. Each project will amplify the unique voices of all members and be shaped by all of us. The group as a whole will also partner with musicians and brands to collaborate on creative projects. Together, we will vote on which outside projects and artists the Heart Project will work with."

"The Heart Project was created by Stefan Meier and Aidan Cullen in 2021. Over the past two years, Stefan has been developing a series of paintings and drawings inspired by the cartoons of his childhood. The character he felt most drawn to was a heart because of its simple and universal message of love, healing, and compassion. He teamed up with fellow artist Aidan Cullen, an avid cryptocurrency and NFT enthusiast, who helped grow the idea and put together a dedicated team to create a world and community surrounding the character. The combination of this classic symbol with Stefan’s distinct visual style is bringing something unique to the NFT world. The DIY aesthetic sets it apart from other NFT collections, and so do our goals for the project."

"On Sept. 27, Cullen and Meier dropped 10,000 NFTs for 0.08888 ETH (cryptocurrency currently worth roughly $370) each, as the key to become part of the community. The NFT itself is a computer-generated heart cartoon designed by Meier, with each one having randomly assigned attributes. They sold out in less than 30 seconds."

"Every Heart was 0.08888 ETH at mint, but they’re now selling for around 1 ETH on the secondary markets. The “Heart” character has 235 unique attributes that have been plugged into a computer-generated AI with the possibility of creating over a trillion different combinations. Most buyers will choose the Heart that they identify with the most. In the first collection, the Heart project team sold 5,000 during a presale, and 5,000 were released on the NFT drop date. The team will reserve 250 NFTs for giveaways to the community."

"The 4,900 “heart holders,” as Cullen and Meier call them, hail from 50 different countries and are part of a special Discord channel where they are privy to star-studded creative opportunities. Cullen and Meier are also aided by Brockhampton creative director Henock Sileshi (aka HK) and software engineer Luke Davis. Current ventures include producing and writing a song with Benny Blanco and Lil Dicky, creating music videos for Deb Never and Jean Dawson, a community-designed clothing capsule and a collaborative zine. When these projects are complete, they will also have a NFT component to them, allowing contributors to turn the collaboration into cash."

"The official Discord server of the NFT project The Heart Project was hacked. Scammers deleted most of The Heart Project's Discord channels and posted scam links."

"The Heart Project project tweeted an official NFT Discord server went down on February 2. Scammers deleted many channels and posted scam links on the server. As a result, some users clicked on fraudulent links and lost money. The Heart Project said it would reimburse users for lost ETH. At present, the official is working hard to restore Discord and remind users not to click on any unknown links, and it would be best to disconnect the wallet."

"OUR DISCORD JUST GOT HACKED, DO NOT CLICK ANY LINKS WE ARE HAVING OUR TEAM DEAL WITH THIS RIGHT NOW"

"According to The Heart Project, some users clicked on fraudulent links and said they lost assets."

"Earlier today our Discord server was compromised." "This was a multi-person, coordinated attack that attempted to take advantage of our community." "The scammers were able to briefly take over our server, wipe most of our channels, and post a scam mint link. The spam link was up for seven minutes before we were able to regain control of the server." "During that time, a few users clicked the fraudulent link and reported that they were scammed."

"The Heart Project says it will reimburse users for lost ether." "We will be reimbursing the ETH taken from everyone who minted through the fake link posted in our server. Check our discord for more details."

"[W]e are sincerely sorry for anyone impacted. It is unfair and devastating to be a victim of this type of scam, and we are working around the clock to right this situation."

"While we’re working hard to get our Discord back up and running, this is a good time to remind everyone to enable Discord two-factor authentication and avoid clicking on any suspicious links." "We also recommend disconnecting your wallet from all websites it may currently be connected to. If you are unsure how to do so, there are many online resources that can walk you through the process."

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

• Known history of when and how the service was started.
• What problems does the company or service claim to solve?
• What marketing materials were used by the firm or business?
• Audits performed, and excerpts that may have been included.
• Business registration documents shown (fake or legitimate).
• How were people recruited to participate?
• Public warnings and announcements prior to the event.

Don't Include:

• Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
• Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

• When the service was actually started (if different than the "official story").
• Who actually ran a service and their own personal history.
• How the service was structured behind the scenes. (For example, there was no "trading bot".)
• Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Total Amount Lost

The total amount lost is unknown.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

The total amount recovered is unknown.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

General Prevention Policies

If this is similar to other Discord hacks that have happened in the past, the lesson here is about the weakness of two-factor authentication where all factors are the same device, and about regularly using an account with more privileges than necessary. When all factors are the same device, it's just a matter of breaching that device to perpetrate an attack. Using a full-permissioned account when not necessary increases the breach window, while having a separate account for everyday use would greatly limit what an adversary could do if they ever got in.

Ideally, performing key actions such as banning moderators or posting global announcements would be set up such that multiple people's approval is required. In this way, it would be nearly impossible to breach.

In our framework, we advocate for training platform operators about incidents such as these, and require the approval of two separate security sign-offs for a project to launch, which would likely catch any weak security practices. A discretionary treasury fund is available to cover losses, in addition to whatever treasury is available with projects directly.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References