Rare Bears Discord Attack

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Rare Bears

Rare Bears are an NFT set of 2,347 unique bears made by a New Zealand artist nicknamed Enox. The project's Discord server became compromised through the account of one of the moderators, and a fake sale was promoted there. In reality, users who interacted with that site could find their wallets emptied by the permissions they gave. A total of 179 NFTs were stolen in the attack. The NFTs were sold, with the proceeds in ethereum being then mixed by TornadoCash. No funds have been recovered, however the project is releasing 50 additional NFTs to affected users as an attempt to make things right.

This is a global/international case not involving a specific country.

About Rare Bears

"The Rare Bears are taking over. They’re cute and sweet, but tough and street. The Bears have a cool retro vibe mixed with a futuristic cyber tone. They’re all about street art, graffiti, music, tech, fashion, and a few old-school video games. They’re down to cuddle once in a while, but if you cross a Bear it’s bad news. The Rare Bears are your ticket into the BearVerse with the most vibrant community around. More NFTs will drop, collabs will happen and more mediums will be explored. We’re bearly getting started."

"Official is an NFT collection that was created on March 09, 2022." "Iain Spanhake A.K.A Enox is a professional digital artist from New Zealand." "The Rare Bears are 2,347 unique NFTs from digital artist, Enox. The first collection released in March 2022 and our upcoming Mare Bear collection will be dropping in the second half of the year."

"Discord seems to be becoming a good “bait” for hackers to carry out phishing attacks on NFT collectors." "Holders of Rare Bears NFTs got scammed on the community’s Discord channel and lost almost $800,000 worth of digital assets in a phishing attack." "[A] new collection of NFT Rare Bears announced that its members had fallen victim to a similar incident and lost more than $790,000 in assets."

"An unidentified person got unauthorized access to the official moderator’s account on the Rare Bears’ server and shared a phishing link." "The fake announcement stated that additional 1,000 unique NFTs priced for 0.1 ETH were added to the collection and are ready to be minted." "The compromised account also invited a bot to lock all channels so no one on the server could warn other members about the NFT fake collection."

"[T]he attacker compromised the project head’s Discord account, who was the owner of the Rare Bears server." "According to a Rare Bears team update, the hacker got access to the account of “Zhodan,” a Rare Bears Discord moderator." "Then, the hacker posted an ‘official’ link in one of the channels, informing about a new release of NFTs. In addition, the unknown person disabled other members’ roles on the server and their ability to write or delete posts and warn about the phishing link."

"The team admitted to having multiple security breaches and confessed not taking appropriate security measures." "After regaining control of the channel and apologizing to the community, the founding members of Rare Bears announced a new member, Discord manager for security audits."

"After realising what had happened, the Rare Bears team managed to regain control of the server. The team members did this by transferring ownership to a new Discord account. They also publicly promised their members that this new account will never interact with members, click any links or accept friend requests."

"A detailed review from Peckshield showed that the hacker stole a combined 179 NFTs from the platform. Asides from the Rare Bears NFT, he was able to get his hands on others, including Azuki and some LAND tokens."

"In a detailed analysis, the hacker was said to have sold all the NFTs, recouping cash worth around $795,000 from the sales." "According to on-chain research, the majority of the NFTs were sold, netting the hacker 286 ETH worth approximately $795,500, the majority of which was immediately sent through Tornado Cash, a crypto mixer used to hide the source of funds." "After the sale, the hacker obfuscated funds through the known mixer, Tornado Cash."

"After the issue was solved, the Rare Bears team decided to compensate Rare Bears community members impacted by the cyberattack: 50 bear NFTs will airdrop on the 22nd of March."

“We are sorry this happened, we care and are trying to make this right as best as we can. We cannot bring back your money, but we can return 50 bears and future benefits,” Rare Bears founders said on Discord.

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

Known history of when and how the service was started.
What problems does the company or service claim to solve?
What marketing materials were used by the firm or business?
Audits performed, and excerpts that may have been included.
Business registration documents shown (fake or legitimate).
How were people recruited to participate?
Public warnings and announcements prior to the event.

Don't Include:

Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

When the service was actually started (if different than the "official story").
Who actually ran a service and their own personal history.
How the service was structured behind the scenes. (For example, there was no "trading bot".)
Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Rare Bears Discord Attack
Date	Event	Description
March 16th, 2022 9:09:00 PM	Main Event	Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.

Total Amount Lost

The total amount lost has been estimated at $795,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Prevention Policies

Individual users should never trust information that is only present on a single source, and always back it up by checking a more official source or getting a second opinion from others.

The Rare Bears project could have prevented the situation through tighter security on their Discord.