Fractal NFT Discord Hack

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 17:10, 21 September 2023 by Azoundria (talk | contribs) (Another 30 minutes complete. Additional sources merged in. Prevention completed. Information moved around.)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Fractal Homepage

Fractal launched a large-scale NFT collection called "Fractals" in December 2021, featuring 100,000 unique snowflake-themed NFTs. These NFTs belong to one of four factions, have power levels ranging from 23 to 100, and possess various attributes. A scam occurred when a hacker infiltrated Fractal's Discord "#announcements" channel and posted a fake minting link. Users who followed the link and connected their wallets were defrauded of their Solana cryptocurrency, amounting to approximately $150,000. Fractal plans to fully compensate the 373 victims affected by the hack and has obtained the list of Solana wallets that sent funds to the hacker.

[1][2][3]

About Fractal.is

"Fractal is a startup project from Twitch co-founder Justin Kan specializing in the buying and selling of NFTs representing in-game assets. It was announced earlier in December and quickly amassed a following of more than 100,000 users through Discord"

"Introducing the Fractal NFT." "Last December [2021], we launched Fractal NFT collection, the largest and most successful airdrop on Solana."

"100k unique snowflakes floating around the metaverse. Fractals will come with benefits on the Fractal marketplace and within the community. In addition, it is our hope that fractals will give you special powers in your favorite blockchain-based games. We believe “cross-game” assets like these, that are truly yours, is the future of gaming. Together, we can unlock that future.

Fractals belong to 1 of 4 factions: tri, quad, penta or hexa. The faction dictates what shapes the fractal is constructed from and the color it emits. The tri faction is the largest, containing 70,000 fractals. The hexa faction is the smallest, containing only 1,000."

"Each fractal has a power level from 23 to 100. Higher power fractals are more rare, as they are not easy to find in nature because of their instability. You can quickly determine the power level of a fractal by the fractal’s size and complexity."

"Fractals are dynamic clusters of energy and thus may change slightly over time. Fractals have a variety of attributes, some of which are not visible from the fractal’s image. These include faction, power, name, purity, velocity, spin and altitude. Games may choose to utilize these attributes however they wish. Perhaps your player unlocks special powers when you collect 1 of each faction… Or perhaps fractals with ultra-high purity unlock secret doors. Endless possibilities. Game on frens."

"In the Fractal NFT Metagame, Fractal NFT holders are competing for power. By engaging on Fractal through minting, trading, and most importantly, playing in tournaments, you can power up your Fractal NFTs.

Beware, Fractal NFTs will slowly discharge the newly acquired power. The discharged power will be redistributed to other players to earn. The speed of discharge depends on the purity of your snowflake. The higher the purity, the slower the discharge.

Very soon, you will be able to use Fractal Wallet containing the NFT to unlock in-game benefits with our Metagame partner games.

Keep track of your Fractal NFT Metagame progress by comparing the “OG Power” attribute to the “Power” attribute."

Website: [4][5][6][7]

Solanart: [8]

The Reality

Fractal "was announced earlier in December and quickly amassed a following of more than 100,000 users through Discord — making it a target for the kind of scammers that have plagued NFT projects since the beginning."

"Buyers hoping to get a limited-edition NFT from Fractal, a new marketplace for game item NFTs, were given an unpleasant and costly surprise on Tuesday morning when it was revealed that a link sent through the project’s official Discord channel was a scam set up to steal crypto."

What Happened

"Buyers hoping to get a limited-edition NFT from Fractal, a new marketplace for game item NFTs, were given an unpleasant and costly surprise on Tuesday morning when it was revealed that a link sent through the project’s official Discord channel was a scam set up to steal crypto."

Key Event Timeline - Fractal NFT Discord Hack
Date Event Description
December 21st, 2021 9:23:00 AM MST Warning From Justin Kan Justin Kan Tweets a warning about the breach.
December 21st, 2021 1:50:10 PM MST Medium Article The Fractal NFT team publishes an article on Medium about the breach[9]. They announce that Fractal's Discord community experienced a scam where approximately 373 members lost around $150,000 due to a fake mint link posted in the #announcements channel. In response, Fractal is planning to fully compensate the 373 victims and already has a list of affected Solana wallets. Information will be communicated related to their airdrop through Twitter and videos from Justin. Collaboration will be undertaken with Discord Trust and Safety for a full security audit of their Discord. They also plan to work with other potentially affected Discord communities to track down the hacker. Fractal emphasizes the importance of caution in the crypto space and urges users to trust their instincts if something seems suspicious, as there is no "undo button" in crypto. They reassure the community that Fractal's NFT airdrop is intended to be free and will not charge users for any future NFT airdrops.
December 21st, 2021 2:23:17 PM MST The Verge Article The Verge publishes a more detailed article on the Discord breach[10]. They report that a scammer stole approximately $150,000 worth of Solana cryptocurrency from 373 users of the Fractal NFT marketplace through a Discord hack. The scam involved the scammer posting a fraudulent link in the project's official Discord channel, prompting users to connect their wallets to receive NFTs but instead resulting in the theft of their Solana holdings. Fractal, a startup by Twitch co-founder Justin Kan, specializes in buying and selling NFTs representing in-game assets. The incident highlights the ongoing challenges of security in the crypto and NFT space, emphasizing the importance of user diligence and caution in the absence of an "undo button" for crypto transactions.
December 21st, 2021 3:59:33 PM MST Protocol.com Article Protocol.com publishes an article on the Discord breach[11], reporting that Fractal experienced a Discord server hack that resulted in the theft of $150,000 worth of Solana cryptocurrency from 373 of its members. The unauthorized user behind the hack posted a fake minting link in Fractal's "#announcements" channel. Fractal has pledged to fully compensate the victims of the hack and is collaborating with other Discord channels that may have experienced similar hacks to track down the perpetrator. The startup, launched just over a week ago, emphasized the importance of user diligence in crypto transactions and encouraged the use of secure practices. Discord server hacks and crypto scams are common challenges in the crypto industry.
December 22nd, 2021 3:03:32 AM MST The Crypto Times Article The Crypto Times reports that Fractal, an NFT startup founded by Twitch Co-Founder Justin Kan, had its Discord channel hacked, resulting in approximately 862 SOL (around $150,000) being stolen from 373 users. Scammers hijacked the Discord announcement bot, sending a fake link to over 100,000 members, prompting them to pay for a new NFT. Users who clicked the link and attempted to mint an NFT for 1 SOL found their Solana wallets emptied. While Fractal shut down the announcements channel within 5 to 10 minutes, 373 users were still hacked. The project plans to fully compensate the victims and is working with Discord Trust and Safety to audit its security. It also emphasized the need for caution in the crypto space, stating, "If something doesn't feel right in crypto, please don't proceed."[12]
December 22nd, 2021 9:09:02 AM MST Tweak Town Article Tweak Town reports that Fractal, an NFT trading marketplace launched by Twitch co-founder Justin Kan, experienced a scam that resulted in users losing around $150,000 worth of Solana cryptocurrency due to a Discord vulnerability. Hackers took control of Fractal's admin account and posted a fake message in the Discord channel, instructing users to link their wallets to participate in an NFT drop. Approximately 373 users fell for the scam, losing 800 SOL (Solana) in total. Fractal has acknowledged the hack and pledged to fully compensate the affected users, stating they have identified the wallets involved. They are also collaborating with Discord Trust and Safety for a security audit.[13].
December 22nd, 2021 3:47:50 PM MST NFT Evening Article NFT Evening reports.
April 4th, 2022 11:31:09 AM MDT Game News 24 Article Game News 24 references the case in an article on multiple attacks[14].
April 8th, 2022 12:05:14 PM MDT NFTNow Mention NFTNow mentions the breach in an article on other attacks[15].
September 27th, 2022 4:34:00 AM MDT Fractal NFT Metagame [16]
November 17th, 2022 12:35:33 PM MST Fractal NFT Metagame The Fractal team publishes an article on Medium about their new Fractal NFT Metagame. "we quickly realized the potential to make this dynamic NFT collection special — to turn it into a game itself".

Technical Details

"Users who followed the link and connected their crypto wallets, expecting to receive an NFT, instead found that their holdings of Solana (SOL) cryptocurrency were emptied and transferred to the scammer’s account.

"Justin Kan, co-founder of Twitch for his Fractal NFT project, where 373 users stole their cryptocurrency."

Fractal, a gaming NFT marketplace, experienced a Discord server hack that resulted in the theft of $150,000 worth of Solana cryptocurrency from 373 of its members. The unauthorized user behind the hack posted a fake minting link in Fractal's "#announcements" channel. Fractal has pledged to fully compensate the victims of the hack and is collaborating with other Discord channels that may have experienced similar hacks to track down the perpetrator. The startup, launched just over a week ago, emphasized the importance of user diligence in crypto transactions and encouraged the use of secure practices. Discord server hacks and crypto scams are common challenges in the crypto industry.[11]

A scammer stole approximately $150,000 worth of Solana cryptocurrency from 373 users of the Fractal NFT marketplace through a Discord hack. The scam involved the scammer posting a fraudulent link in the project's official Discord channel, prompting users to connect their wallets to receive NFTs but instead resulting in the theft of their Solana holdings. Fractal, a startup by Twitch co-founder Justin Kan, specializes in buying and selling NFTs representing in-game assets. The incident highlights the ongoing challenges of security in the crypto and NFT space, emphasizing the importance of user diligence and caution in the absence of an "undo button" for crypto transactions.[10]

Fractal, an NFT trading marketplace launched by Twitch co-founder Justin Kan, experienced a scam that resulted in users losing around $150,000 worth of Solana cryptocurrency due to a Discord vulnerability. Hackers took control of Fractal's admin account and posted a fake message in the Discord channel, instructing users to link their wallets to participate in an NFT drop. Approximately 373 users fell for the scam, losing 800 SOL (Solana) in total. Fractal has acknowledged the hack and pledged to fully compensate the affected users, stating they have identified the wallets involved. They are also collaborating with Discord Trust and Safety for a security audit.[13].

Fractal, an NFT startup founded by Twitch Co-Founder Justin Kan, had its Discord channel hacked, resulting in approximately 862 SOL (around $150,000) being stolen from 373 users. Scammers hijacked the Discord announcement bot, sending a fake link to over 100,000 members, prompting them to pay for a new NFT. Users who clicked the link and attempted to mint an NFT for 1 SOL found their Solana wallets emptied. While Fractal shut down the announcements channel within 5 to 10 minutes, 373 users were still hacked. The project plans to fully compensate the victims and is working with Discord Trust and Safety to audit its security. It also emphasized the need for caution in the crypto space, stating, "If something doesn't feel right in crypto, please don't proceed."[12]

Total Amount Lost

An analysis posted on Medium by Tim Cotten, founder of another NFT gaming project, estimated the value of SOL stolen to be around $150,000."

"Justin Kan, co-founder of Twitch for his Fractal NFT project, where 373 users stole their cryptocurrency."

"The hacker made out with ~800 sol (~$150,000) by managing to post a fake mint link in our #announcements channel. With over 100,000 members in our community, it’s quite impressive that the hacker only managed to dupe .3% of our community."

The total amount lost has been estimated at $150,000 USD.

Immediate Reactions

"The announcements bot on our @fractalwagmi discord was hacked. Do not go to any url and connect your wallet / mint anything."

"an unauthorized user posted a fake minting link in Fractal's "#announcements" channel."

"The hacker made out with ~800 sol (~$150,000) by managing to post a fake mint link in our #announcements channel. With over 100,000 members in our community, it’s quite impressive that the hacker only managed to dupe .3% of our community."

"In a Twitter video, co-founder Justin Kan encouraged Fractal members to "always be using a burner" for their crypto wallets, and to always be on the lookout for scams like this one."

"The startup said in its announcement that it will fully compensate the victims of the hack"

Medium Post By Fractal Team

The Fractal Team shared a post on Medium for their community[9].

Dear Fractal community,

Earlier today, approximately 373 of our community members fell victim to a scam posted on our Discord. We are sorry. We are going to make this right.

The hacker made out with ~800 sol (~$150,000) by managing to post a fake mint link in our #announcements channel. With over 100,000 members in our community, it’s quite impressive that the hacker only managed to dupe .3% of our community.

Here are the things we are doing to address this:

  1. Fractal is planning to fully compensate these 373 victims. We will need a few days to work it out. Please be patient with us. To the victims: We already have the list of Solana wallets that sent funds to the hacker and so we do not need anything from you at this moment. Do not delete your wallet, as we have no way to verify who the wallet owners are outside of returning funds to the wallets that were drained.
  2. Any information related to our airdrop will be communicated through our Twitter and accompanied by a video from Justin. #ProofOfJustin
  3. We are in touch with Discord Trust and Safety team to do a full security audit of our Discord.
  4. It seems like there may be other Discord communities hacked around the same time as we and we are working with them to compare notes and track down the hacker. There are traces everywhere ser. NGMI.

We must all be careful out there, as the next exploit might be much larger and Fractal will likely not be in a position to cover potential future losses. As we’ve said to the community, Fractal’s NFT airdrop is and always was intended to be free. In this case, the hacker was requesting 1 SOL to “mint”. Their story didn’t make much sense. If something doesn’t feel right in crypto, please don’t proceed, even if at first it looks legitimate. We must use our best judgement as there’s no “undo button” in crypto. Fractal will not charge you for any NFT airdrops.

When we chose our twitter handle @fractalwagmi, this is what we meant. WAGMI. Stay safe out there, frens. And happy holidays!

Ultimate Outcome

TBD

[17][7][16]

Total Amount Recovered

"The startup said in its announcement that it will fully compensate the victims of the hack"

"Fractal is planning to fully compensate these 373 victims. We will need a few days to work it out. Please be patient with us. To the victims: We already have the list of Solana wallets that sent funds to the hacker and so we do not need anything from you at this moment. Do not delete your wallet, as we have no way to verify who the wallet owners are outside of returning funds to the wallets that were drained."

The total amount recovered is unknown.

Ongoing Developments

TBD

Individual Prevention Policies

Every approval on Web3 is an opportunity to lose all of the funds present in your wallet. Take the time to review the transaction in full. Fully check over the balance, permissions, and entire address which you are interacting with. Do not trust that your clipboard or any website front-end is guaranteed to provide an accurate address or transaction status. Always perform a test transaction prior to the first high-value transaction in any session.

Avoid the use of smart contracts unless necessary. Minimize the level of exposure by removing or withdrawing assets whenever possible. Aim to choose smart contracts which have obtained third party security audits, preferably having been audited by at least three separate reputable firms. Pay attention to the audit reports, which smart contracts are covered, and whether the smart contract has been upgraded or modified since the report. Ensure that any administrative functions with the ability to remove funds from the smart contract are under the authority of a multi-signature wallet which is controlled by at least three separate and reputable entities.

Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Never take for granted the limited knowledge of users of your service and their tendency to skip past provided information. It is recommended to design a simple tutorial and quiz for new users which explains the basics of seed phrases, strong password generation, secure two-factor authentication, common fraud schemes, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space. This tutorial and quiz should ensure their understanding and be a standard part of the sign-up or download process which is difficult or impossible to skip.

All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.

Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

Create a standard tutorial and quiz for all new cryptocurrency participants, which is required to be completed once per participant. This tutorial and quiz should cover the basics of proper seed phrase protection, strong password generation, secure two-factor authentication, common fraud schemes, how to detect and guard against phishing attacks, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space.

All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.

Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Solana NFT Project Fractal Becomes a Victim of Another Nasty Discord Attack (Sep 15, 2023)
  2. @justinkan Twitter (Sep 15, 2023)
  3. @roshankd90 Twitter (Sep 15, 2023)
  4. Fractal Homepage (Nov 18, 2022)
  5. Fractal Documentation (Sep 15, 2023)
  6. Fractal NFT Homepage (Sep 15, 2023)
  7. 7.0 7.1 Introducing the Fractal NFT Metagame - Fractal Team Medium (Sep 15, 2023)
  8. Fractals Collection - Solanart (Sep 15, 2023)
  9. 9.0 9.1 Fractal Team - Our Discord got hacked today. - Medium (Sep 15, 2023)
  10. 10.0 10.1 Scammers steal $150K worth of crypto from NFT project with Discord hack - The Verge (Sep 15, 2023)
  11. 11.0 11.1 A hacker scammed Fractal's Discord and stole $150,000 - Protocol (Sep 15, 2023)
  12. 12.0 12.1 Fractal NFT Project's Discord Gets Hacked, Crypto Worth $150k Stolen - The Crypto Times (Sep 15, 2023)
  13. 13.0 13.1 Fractal NFT Discord hacked, scammers make off with $149K worth of SOL - Tweak Town (Sep 15, 2023)
  14. The NFT Discord Channels are Attacked By Hackers, who seek to gain traction in Cryptocurrency - Game News 24 (Jul 16, 2022)
  15. Warning: Hackers Are Targeting Discord Bots to Rob NFT Users - NFTNow (Jul 16, 2022)
  16. 16.0 16.1 Fractal Radio - NFT METAGAME EXPLAINED - YouTube (Sep 15, 2023)
  17. Fractal Radio - FRACTAL NFT METAGAME: COMPETE FOR POWER - YouTube (Sep 15, 2023)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Fractal_NFT_Discord_Hack&oldid=5056"