Rare Bears Discord Attack

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 12:16, 15 February 2023 by Azoundria (talk | contribs)
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Rare Bears

The Rare Bears NFTs are a set of NFT bears made by a New Zealand artist Enox. A security breach in the Discord of the Rare Bears NFT project allowed an attacker to post a malicious phishing link for over 9 hours before the link was finally removed. During that time, an estimated $800k worth of assets were stolen from users. Users who clicked the link and authorized a cheap mint would have had all assets from their wallets taken.

This is a global/international case not involving a specific country. [1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20][21][22][23][24][25][26][27][28][29][30][31][32][33][34][35][36][37][38][39][40][41][42][43]

About Rare Bears

"The Rare Bears are taking over. They’re cute and sweet, but tough and street. The Bears have a cool retro vibe mixed with a futuristic cyber tone. They’re all about street art, graffiti, music, tech, fashion, and a few old-school video games. They’re down to cuddle once in a while, but if you cross a Bear it’s bad news. The Rare Bears are your ticket into the BearVerse with the most vibrant community around. More NFTs will drop, collabs will happen and more mediums will be explored. We’re bearly getting started."

"Official is an NFT collection that was created on March 09, 2022." "Iain Spanhake A.K.A Enox is a professional digital artist from New Zealand." "The Rare Bears are 2,347 unique NFTs from digital artist, Enox. The first collection released in March 2022 and our upcoming Mare Bear collection will be dropping in the second half of the year."

"Discord seems to be becoming a good “bait” for hackers to carry out phishing attacks on NFT collectors." "Holders of Rare Bears NFTs got scammed on the community’s Discord channel and lost almost $800,000 worth of digital assets in a phishing attack." "[A] new collection of NFT Rare Bears announced that its members had fallen victim to a similar incident and lost more than $790,000 in assets."

"An unidentified person got unauthorized access to the official moderator’s account on the Rare Bears’ server and shared a phishing link." "The fake announcement stated that additional 1,000 unique NFTs priced for 0.1 ETH were added to the collection and are ready to be minted." "The compromised account also invited a bot to lock all channels so no one on the server could warn other members about the NFT fake collection."

"[T]he attacker compromised the project head’s Discord account, who was the owner of the Rare Bears server." "According to a Rare Bears team update, the hacker got access to the account of “Zhodan,” a Rare Bears Discord moderator." "Then, the hacker posted an ‘official’ link in one of the channels, informing about a new release of NFTs. In addition, the unknown person disabled other members’ roles on the server and their ability to write or delete posts and warn about the phishing link."

"The team admitted to having multiple security breaches and confessed not taking appropriate security measures." "After regaining control of the channel and apologizing to the community, the founding members of Rare Bears announced a new member, Discord manager for security audits."

"After realising what had happened, the Rare Bears team managed to regain control of the server. The team members did this by transferring ownership to a new Discord account. They also publicly promised their members that this new account will never interact with members, click any links or accept friend requests."

"A detailed review from Peckshield showed that the hacker stole a combined 179 NFTs from the platform. Asides from the Rare Bears NFT, he was able to get his hands on others, including Azuki and some LAND tokens."

"In a detailed analysis, the hacker was said to have sold all the NFTs, recouping cash worth around $795,000 from the sales." "According to on-chain research, the majority of the NFTs were sold, netting the hacker 286 ETH worth approximately $795,500, the majority of which was immediately sent through Tornado Cash, a crypto mixer used to hide the source of funds." "After the sale, the hacker obfuscated funds through the known mixer, Tornado Cash."

"After the issue was solved, the Rare Bears team decided to compensate Rare Bears community members impacted by the cyberattack: 50 bear NFTs will airdrop on the 22nd of March."

“We are sorry this happened, we care and are trying to make this right as best as we can. We cannot bring back your money, but we can return 50 bears and future benefits,” Rare Bears founders said on Discord.

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

  • Known history of when and how the service was started.
  • What problems does the company or service claim to solve?
  • What marketing materials were used by the firm or business?
  • Audits performed, and excerpts that may have been included.
  • Business registration documents shown (fake or legitimate).
  • How were people recruited to participate?
  • Public warnings and announcements prior to the event.

Don't Include:

  • Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
  • Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

"Discord seems to be becoming a good “bait” for hackers to carry out phishing attacks on NFT collectors." "Holders of Rare Bears NFTs got scammed on the community’s Discord channel and lost almost $800,000 worth of digital assets in a phishing attack." "[A] new collection of NFT Rare Bears announced that its members had fallen victim to a similar incident and lost more than $790,000 in assets."

"The team admitted to having multiple security breaches and confessed not taking appropriate security measures." "After regaining control of the channel and apologizing to the community, the founding members of Rare Bears announced a new member, Discord manager for security audits."

What Happened

"An unidentified person got unauthorized access to the official moderator’s account on the Rare Bears’ server and shared a phishing link." "The fake announcement stated that additional 1,000 unique NFTs priced for 0.1 ETH were added to the collection and are ready to be minted." "The compromised account also invited a bot to lock all channels so no one on the server could warn other members about the NFT fake collection."

"[T]he attacker compromised the project head’s Discord account, who was the owner of the Rare Bears server." "According to a Rare Bears team update, the hacker got access to the account of “Zhodan,” a Rare Bears Discord moderator." "Then, the hacker posted an ‘official’ link in one of the channels, informing about a new release of NFTs. In addition, the unknown person disabled other members’ roles on the server and their ability to write or delete posts and warn about the phishing link."

As described by Web3IsGoingGreat:

"After hackers successfully compromised the account of one of the Rare Bears Discord moderators, they posted an announcement that new NFTs were being minted. Those who tried to participate in the mint wound up having their accounts compromised and their NFTs stolen."

"Not only did the attackers post a fake mint link, they took steps to prevent the project from thwarting their attack by banning other members and removing user rights that would have allowed other project members to delete the fake links. They also added a bot to the server that locked channels so people couldn't send warnings that the links were fake."

The RareBears Hack Update states:

"Project head's Discord account was reportedly compromised. Project head was the owner of the server. No one can kick, ban, or otherwise overpower the owner of the server. Links were posted directly by the compromised account. You can't remove the "Send Messages" or any other permission from the server owner."

"The compromised account banned every other team member from the Discord or removed their roles, so no-one was able to delete the messages posted. The compromised account invited a fake "Collab.land"bot to automatically lock all channels in the server so no one could communicate that the posts in announcements were fake."

Key Event Timeline - Rare Bears Discord Attack
Date Event Description
March 16th, 2022 1:31:00 PM Hack Mentioned First mention on Twitter of the Discord being hacked by @Artzhy_
March 16th, 2022 2:53:00 PM Victim Mentioned The first mention on Twitter by a user who got hacked. These continue up until 9:09 PM.
March 16th, 2022 9:09:00 PM Main Event Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.
March 16th, 2022 9:09:00 PM Twitter Post The Rare Bears Twitter account @BearsRare announces about the exploit on Twitter.
March 17th, 2022 1:50:00 AM Discord Secure "We are pleased to let you know that our Discord server is now fully secure. @pandez_ has started doing a full security audit for us. The server will remain locked until the audit is finished tomorrow. We are committed to making things right and we're moving forward!"
March 17th, 2022 1:02:00 PM Public Apology The RareBears team issues a formal apology on Twitter. "This was not okay. We are deeply sorry to everyone affected."
March 17th, 2022 5:20:00 PM Discord Reopened "our Discord has been audited by @pandez_. We're secure and now open! We can't wait to see you all again! We will release the details of the hack today to outline what happened for full transparency."
March 17th, 2022 8:51:00 PM Rare Bears posts their Rare Bears Hack Update description to Twitter to explain what happened.
March 17th, 2022 8:51:00 PM Twitter Update Rare Bears posts their Rare Bears Hack Update description to Twitter to explain what happened. They also said "Our team are working on a solution as we speak for those effected and will announce as soon as we can."
March 17th, 2022 11:13:00 PM Pandez Tweet "We're thrilled that @pandez_ is officially part of the Rare Bears Team. His role as Discord Manager will include on-going maintenance, admin and tech support. First-class expertise having worked on Karafuru, World of Women, The Other Side, Psychedelics Anonymous and many more!"
March 20th, 2022 1:32:00 PM AMA Session The Rare Bears team announced they were "back" "stronger than ever" and hosted an AMA (Ask Me Anything) where the hack would have undoubtedly come up. No record of the session has been located.
April 12th, 2022 4:45:00 PM New Discord Lawyer The Rare Bears team brings on board Shane who "is a lawyer based in Singapore, with a background in law and communications. He looks after Discord management/communications and social media outreach."
April 16th, 2022 2:30:00 AM New Roadmap The RareBears team shares their new roadmap[44][45].
May 7th, 2022 10:00:00 AM Sentimental Post The RareBears Twitter posts "As a community, we've been through the ringer. We've gone through what could be any other project's worst nightmare. But we've risen to meet adversity and emerged on the other side stronger, more fired up, & with more conviction than ever! Don't bet against the bears."[46]

Total Amount Lost

"A detailed review from Peckshield showed that the hacker stole a combined 179 NFTs from the platform. Asides from the Rare Bears NFT, he was able to get his hands on others, including Azuki and some LAND tokens."

As per CoinTelegraph:

"Analysis from blockchain security firm Peckshield detailed that the attacker was able to steal 179 NFTs including “Rare Bears” and other NFTs from various collections including “CloneX,” “Azuki,” a “mfer” from artist sartoshi, and six LAND tokens used for The Sandbox metaverse."


"In a detailed analysis, the hacker was said to have sold all the NFTs, recouping cash worth around $795,000 from the sales." "According to on-chain research, the majority of the NFTs were sold, netting the hacker 286 ETH worth approximately $795,500, the majority of which was immediately sent through Tornado Cash, a crypto mixer used to hide the source of funds." "After the sale, the hacker obfuscated funds through the known mixer, Tornado Cash."

The total amount lost has been estimated at $795,000 USD.

Immediate Reactions

During the event, multiple users such as @KaiaNFT, @MSTPR0, and @Artzhy_ were proactively warning users on Twitter, but many users didn't see until after they had already been hacked.

Twitter users from the community such as @whyarewehere42, @kohlsaft, and @DubsyDoes were not very supportive:

"Lol, you post the warning 9 hours after the hack or scam. After more than 200 eth has vanished through tornado cash. 9 hours, really?"

"This is probably game over... Trust is gone. Should focus on a new project with better security."

"Always a few believers I suppose. People literally lost thousands in assets. That’s not ok. They didn’t even address it for 5 HOURS after it happened… nah man."

"[A]lmost two hours since the hack and still under hackers control and still no warning on twitter to their customers, pure neglegence."

Twitter users @Sofyan9793, @sungin21c, and @Sir_Teamm asked for refunds:

"You did this announcement too late I hope you gonna refund me guys[.]"

"Can I get compensation for my lost bear and ETH?"

"Excuse me, but th[e apology] is not enough. You have to refund everyone who lost it."

Some like @0xelies even went as far as to suspect team member Zhodan to be behind the theft:

"Stop this mascarade. I'm in Rare Bears from day 1 and can't believe what happened. Zhodan, the head of the team, rugged and betrayed the rest of the team by posting fake mint links. I can't trust you anymore! 600K USD lost and Azukis, CLONE X stolen! It's unrepairable."

Others like @JoshuaBlanks23 and @HuzzaXO expressed support for the project and faith in the team.

"Common sense isn't very common. I'm sure everyone will get sorted out[.] @EnoxArt genuinely cares for his community, it's his brand and reputation on the line. He would not rug."

"Their socials was compromised as well and Enox announced it on his Twitter. So please tell me what you wanted to be done. and it’s the peoples fault for clicking on links. We weren’t forced to lose money we’re we? Was everyone hacked? I didn’t think so."

Twitter user @Punishe32385597 lost their bear and still had support.

"Lost my bear but still have much love for y’all"

Ultimate Outcome

The team's first move was to create a formal apology on Twitter.

"[P]eople have been hurt in this process due to some of the team not taking appropriate security measures. We trusted people within the team who said they had fixed things. It has obviously been proven otherwise."

"Things are changing from here on out. We have stepped up and will be leading this from now on. We take security very seriously and we have therefore invested into hiring Pandez to do a full security audit of our discord."

The team had the Discord reopened the following day and continued to run their project.

"The team admitted to having multiple security breaches and confessed not taking appropriate security measures." "After regaining control of the channel and apologizing to the community, the founding members of Rare Bears announced a new member, Discord manager for security audits."

"After realising what had happened, the Rare Bears team managed to regain control of the server. The team members did this by transferring ownership to a new Discord account. They also publicly promised their members that this new account will never interact with members, click any links or accept friend requests."

The Rare Bears team brought on board a new team member with specific Discord experience.

"We're thrilled that @pandez_ is officially part of the Rare Bears Team. His role as Discord Manager will include on-going maintenance, admin and tech support. First-class expertise having worked on Karafuru, World of Women, The Other Side, Psychedelics Anonymous and many more!"

The RareBears Hack Update states:

"Control was regained when Pandez was onboarded by @enoxart & @artbylino_. Ownership was transferred from project hear to the Rare Bears team. A brand new account made by the Rare Bears team is now the owner of the Discord server and will never interact in the server, click any links, accept friend requests or DMs. A full security audit was performed by @pandez_ to ensure perms are reinstated to the team and the server is secure from another attack like this."

"Speaking to Cointelegraph, security consultant Pandez said that users should look out for a few key signs that could mean a message is a scam."

“Almost no serious project will ever do a stealth mint,” Pandez said. “Never click any links which appear like this.”

"Pandez said other red flags are if channels are locked during a “drop” of a new NFT collection, if the link differs from those shared on Twitter or other official sources for the project, and if the link is continuously posted in the channel."

There appear to have been ongoing damage to their reputation with some members of the community such as @sueyancami reporting being kicked from Discord:

"How is the floor doing? You all kicked me out of the [D]iscord as I said on Friday the floor would be .07 after the weekend. I haven’t checked the floor but I know not trending in top 100. Never bodes well when there is a hack in your discord and you don’t reimburse all[.]"

Total Amount Recovered

While it does not seem that there will be a full recovery, the Rare Bears team pledged to provide 50 bears to those who were affected.

"After the issue was solved, the Rare Bears team decided to compensate Rare Bears community members impacted by the cyberattack: 50 bear NFTs will airdrop on the 22nd of March."

“We are sorry this happened, we care and are trying to make this right as best as we can. We cannot bring back your money, but we can return 50 bears and future benefits,” Rare Bears founders said on Discord.

There do not appear to have been any funds recovered in this case.

Ongoing Developments

The RareBears team hired Shane specifically to help with their Discord management on April 12th.

"We are SO excited to have Shane @lunnietunesNFT as part of the Rare Bears team. He is a lawyer based in Singapore, with a background in law and communications. He looks after Discord management/communications and social media outreach. Let's all welcome him to the #BearFam!"

They posted a new roadmap April 16th:

"We're coming back stronger than ever. If you haven't seen our Roadmap 2.0 here's a few highlights. new leadership. new utility & holder perks. utility token ecosystem. holders only merch. Factions. Mare Bears. We are excited!"

They've also been posting encouragement to their community such as the following:

"As a community, we've been through the ringer. We've gone through what could be any other project's worst nightmare. But we've risen to meet adversity and emerged on the other side stronger, more fired up, & with more conviction than ever! Don't bet against the bears."

Prevention Policies

Individual users should never trust information that is only present on a single source, and always back it up by checking a more official source or getting a second opinion from others.

The Rare Bears project could have prevented the situation through tighter security on their Discord. They also could have greatly reduced the impact through a faster response time.

References

  1. Bored Ape Yacht Club (BAYC) officially confirmed the project's Discord channel has been hacked - CryptoHubK (Jun 19, 2022)
  2. Rare Bears – Rare Bears NFT collection from digital artist, Enox (Jul 14, 2022)
  3. Rare Bears NFT Collection - OpenSea (Jul 14, 2022)
  4. Rare Bears Nft - Official (RAREBEARS) Charts & Data | Mintalytics (Jul 14, 2022)
  5. Rare Bears NFT Discord Hack: Almost $800,000 Worth of NFTs Stolen | Metaverse Post (Jul 14, 2022)
  6. @BearsRare Twitter (Jul 14, 2022)
  7. Rare Bears NFT Discord Hack: Scammer Runs Away With $800k In NFTs (Jul 14, 2022)
  8. Rare Bears suffers phishing attack (Jul 14, 2022)
  9. @BearsRare Twitter (Jul 14, 2022)
  10. Rare Bears Discord Phishing Attack Nabs $800K In NFTs - CoinCu News (Jul 14, 2022)
  11. Discord hack targeting Rare Bears NFT project nets attacker $800,000 (Jan 26, 2023)
  12. @MSTPR0 Twitter (Jan 28, 2023)
  13. @web3isgreat Twitter (Jan 29, 2023)
  14. Rare Bears Discord phishing attack nabs $800K in NFTs (Jan 29, 2023)
  15. The Block: Hacker steals $790,000 of NFTs and crypto from owners of Rare Bears (Jan 29, 2023)
  16. @BearsRare Twitter (Jan 29, 2023)
  17. @sueryancami Twitter (Jan 29, 2023)
  18. @BearsRare Twitter (Jan 29, 2023)
  19. @Punishe32385597 Twitter (Jan 29, 2023)
  20. @BearsRare Twitter (Jan 29, 2023)
  21. @kohlsaft Twitter (Jan 29, 2023)
  22. @DubsyDoes Twitter (Jan 30, 2023)
  23. @HuzzaXO Twitter (Jan 30, 2023)
  24. @sungin21c Twitter (Jan 30, 2023)
  25. @BearsRare Twitter (Jan 30, 2023)
  26. @0xelies Twitter (Jan 30, 2023)
  27. @Sir_Teamm Twitter (Jan 30, 2023)
  28. @BearsRare Twitter (Jan 30, 2023)
  29. @BearsRare Twitter (Jan 30, 2023)
  30. @Thiago29404948 Twitter (Jan 30, 2023)
  31. @Artzhy_ Twitter (Jan 30, 2023)
  32. @patel07678843 Twitter (Jan 30, 2023)
  33. @whyarewehere42 Twitter (Feb 1, 2023)
  34. @sungin21c Twitter (Feb 1, 2023)
  35. @tripedy_black Twitter (Feb 1, 2023)
  36. @KaiaNFT Twitter (Feb 1, 2023)
  37. @KaiaNFT Twitter (Feb 1, 2023)
  38. @KaiaNFT Twitter (Feb 1, 2023)
  39. @DeucePhlair Twitter (Feb 1, 2023)
  40. @tripedy_black Twitter (Feb 1, 2023)
  41. @tripedy_black Twitter (Feb 1, 2023)
  42. Fake_Phishing5562 | Address 0x67542F6E4Ea651f4c72AB24ABF2Eb9C2c202fcE1 | Etherscan (Feb 1, 2023)
  43. @AcE_NFT_Alpha Twitter (Feb 1, 2023)
  44. @BearsRare Twitter (Jan 29, 2023)
  45. @BearsRare Twitter (Jan 29, 2023)
  46. "We've Been Through The Ringer" - RareBears via Twitter (Jan 29, 2023)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Rare_Bears_Discord_Attack&oldid=1882"