Shamanzs Discord Hack

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 10:43, 26 June 2023 by Azoundria (talk | contribs) (Another 30 minutes complete.)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Shamanzs

Shamanzs NFT Discord included the third party Ticket Tool plug-in, which was either malicious or exploited by a third party to post malicious links on the discord channel. The malicious link took users to a fake minting page, where they could generously donate their money to the hacker if they didn't have an interest in verifying the smart contract address. Multiple users were scammed, and it doesn't seem like the project did anything to assist victims. Proceeds were mixed with TornadoCash.

About Shamanzs

Shamanzs is an original collection of 9898 programmatically generated NFTs on the Ethereum[1] and Solana[2] blockchains. The renowned design studio Brosmind, led by brothers Juan and Alejandro, is involved in the creation of Shamanzs[3][1][4]. The founding team of Shamanzs shares a passion for art, technology, music, and the digital world[1]. Led by the talented brothers Juan and Alejandro, the studio has worked with major brands such as Nike, Coca-Cola, and Google[3][4]. The Shamanzs brand focuses on great art and promoting a "Good Vibes Only" movement[4] with a brand which focuses on positive energy and experiences[3]. The high-quality artwork and unique shaman theme make the project stand out[4].

Holders of Shamanzs NFTs will receive exclusive rewards, including access to future art, airdrops, merchandise gifts, discounts in the online shop, and invitations to both physical and digital events[3][4].The team consists of the artist duo, two additional co-founders, and three other team members[4]. While the co-founders remain somewhat anonymous, their public presence through social media mitigates any concerns[4]. The creators prioritize quality over a speedy launch and aim to build a lasting brand around Shamanzs.They bring together their unique skills and connections to turn Shamanzs into a long-lasting brand[1]. Shamanzs fall under a new category of NFTs that are designed and built slowly to ensure art quality, becoming visually appealing."[2]

The collection was originally minted on May 19th, 2021[5], and features hand-drawn traits to create unique and high-quality loving characters[1][2]. All Shamanzs follow the ERC721 NFT standard, ensuring adaptability and durability[1]. The team is planning a distribution strategy to maximize availability during the minting stage[1].

Each NFT serves as a secret pass to the Shamaverse, which combines digital and physical world utility[1]. The story revolves around wise monks, sadhus, gods, and gurus from different ancient religions coming together to spread love and positive energy[1][5]. They form a unified legion called Shamanzs, aiming to eradicate negative energies from Earth[1][5]. This movement is catching the attention of dormant ancient gods[1][5].

The project aims to create a vibrant and engaging community for NFT enthusiasts[3].The Shamanzs project has garnered a large community with over 137,000 Twitter followers and 48,000 Discord members[4]. The engagement within the community is high[4]. The launch mechanics of Shamanzs follow a multi-stage private sale and a public Dutch auction, with only 1,860 NFTs available to the public[4]. Given the project's popularity, it is expected to sell out quickly during the Dutch auction, which starts at a price of 0.5 ETH and gradually decreases every 15 minutes until reaching 0.15 ETH[4].

The FAQs section on their website provides information about NFTs, Metamask (a digital wallet for purchasing Shamanzs), and the uniqueness of Shamanzs[1].

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The Shamanzs Discord channel was successfully breached by the Ticket Tool plug-in, which allowed the attacker to post a large-scale phishing attack, leading many users to give up access to their wallets.

Key Event Timeline - Shamanzs Discord Hack
Date Event Description
May 19th, 2021 Original Shamanzs Minting The Shamanzs original mint opens up[5].
April 1st, 2022 12:10:00 AM MDT ZachXBT Reports Attack Twitter user ZachXBT reports that the Shamanz Discord is also attacked[6]. The funds are being sent to Fake_Phishing5519[6][7].
April 1st, 2022 12:56:24 AM MDT Shamanz Report On Twitter Shamanz posts a response on Twitter[8] indicating that they "acted fast"[9].
April 1st, 2022 12:35:00 PM MDT Vice News Article Published Vice News publishes an article on the situation[10], which includes that the Discord channels of platforms including Bored Ape Yacht Club, Nyoki, Shamanz, Doodles, and Kaiju Kingz were all hacked. It provides an excerpt of some of the phishing posts, some basic blockchain analysis, and mention of some other Discord attacks[11].
April 1st, 2022 12:46:00 AM MDT Serpent Reports Ticket Tool Hack Twitter user Serpent (formerly SerpentAU) makes another post that it's "100% CONFIRMED" that "TICKET TOOL IS HACKED" along with screenshots of an "AUDIT LOG FROM DOODLES & SHAMANZS"[12][13].
April 1st, 2022 1:22:00 AM MDT sv3nsei Reports Multiple Bots Hacked Twitter user sv3nsei reports a list of hacked Discords (including Bored Ape Yacht Club, Doodles, Kaiju Kingz, Shamanzs, and Zooverse NFT) and a list of hacked Discord bots including Arcane Bot, Captcha Bot, and Ticket Tool Bot[14].
April 1st, 2022 1:34:00 AM MDT Ticket Tool Posts Tweet Ticket Tool posts an update Tweet that the problem was a recent update that "had a bug allowing for some type of permission exploit". The developer reported that he "reverted the update to the previous uncompromised version and will be looking into exactly how this happened"[15].
April 2nd, 2022 9:12:00 AM MDT Serpent Requesting Code Inspection Serpent requests to be unbanned from the Ticket Tool discord and that he be allowed to look at the source code to get more information[16]. His Tweet does not appear to have ever been responded to.
April 2nd, 2022 5:23:48 PM MDT CryptoHubK Article Published CryptoHubK published a summary of the situation. It is reported that hackers gained access to the Discord of Bored Ape Yacht Club, Mutant Ape Yacht Club, and Mutant Ape Kennel Club. The article included the PeckShield alert. Some information is later included on the Doodle NFT Discord attack, and the suggestion that this was responsible for the loss of Jay Chou's BAYC #3738. The article also includes general information on other Discord hacks, however it appears to incorrectly state the dates as March 1st for other attacks[17].
April 4th, 2022 10:39:11 AM MDT Tech Radar Article Published TechRadar publishes an article on the situation[18]. It includes Bored Ape Yacht Club, Nyoki, Shamanz, Doodles, and Kaiju Kingz. An example of the phishing tweet on Bored Ape Yacht Club is provided, as well as the response by Noyki Club. It gives some background on the NFT minting process, and mentions that all projects were quick to react to the situation. Information about the wallets were also included[19].
April 4th, 2022 10:48:00 AM MDT Candid Technology Article Published Candid Technology publishes an article on the situation. The article mentions Bored Ape Yacht Club, Nyoki, and Shamanzs as victims, as well as referencing attacks on Doodles and Kaiju Kingz as reported by ZachXBT. The reactions by platforms Nyoki Club and Bored Ape Yacht Club were included, as well as wallet addresses Fake_Phishing5519 and Fake_Phishing5520 and some of the attempts at mixing the proceeds[20].
April 4th, 2022 Game News 24 Article Published Game News 24 publishes an article that "Bored Ape Yacht Club, Nyoki and Shamanz have all tweeted warnings to users that their Twitter bots have been hacked and are advertising new, completely fake NFTs" and that "the link directs users’ crypto to a pair of crypto wallets that have been illegally laundering their ill-gotten gains"[21].
April 8th, 2022 12:11:23 PM MDT NFTNow Article Published NFTNow publishes an article on the situation[22]. It mentions Bored Ape Yacht Club, Shamanz, and Nyoki Club as the projects with their Discord channels attacked. Fake NFT links are included, and a specific quote of the announcements for Nyoki Club. Background on the funds, wallets, and some history of Discord attacks is also included in the article[23].

Technical Details

TBD

"Hackers are mainly posing a fake phishing scam using the Discord Bot to disguise the fake links as legitimate new offerings. Vice confirmed that the link links users to two crypto wallets, such as Fake_Phishing5519 and Fake_Phishing5520 on blockchain explorer Etherscan, and that both wallets have experience extensive activity over the past few days as the hackers try to launder their stolen cryptocurrency."

"The first account obtained one NFT, sold it, and sent almost 20 ETH to the second wallet. The second one then sent more than 60 ETH to a mixing service, to “launder” the tokens. After that, the second wallet sent .6 ETH to two addresses - one inactive, and one with more than 1,400 ETH, and more than 6 million Tether coins."

Total Amount Lost

The total amount lost is unknown.

Attackers wallet is reportedly included FakePhishing_5519[7] and FakePhishing_5520[24].

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

Shamanzs reportedly removed the link within 5 minutes.

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?


"Bored Ape Yacht Club, Nyoki and Shamanz have all tweeted warnings to users that their Twitter bots have been hacked and are advertising new, completely fake NFTs. If users take users to legitimate NFT sites, the link directs users’ crypto to a pair of crypto wallets that have been illegally laundering their ill-gotten gains."

"We acted fast and in less than 5 minutes we could find the hack. Thanks for everyone helping. The ticket bot has been compromised, remove it from you server if you haven’t yet. We made our DC private."

Shamanz Twitter Post

Shamanz posted on Twitter[8].

We acted fast and in less than 5 minutes we could find the hack. Thanks for everyone helping. The ticket bot has been compromised, remove it from you server if you haven’t yet. We made our DC private.

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

While Ticket Tool has not released an official announcement, they did offer this explanation: "A recent update I made to the add command had a bug allowing for some type of permission exploit. I've reverted the update to the previous uncompromised version and will be looking into exactly how this happened. The bot itself is not compromised beyond a very unfortunate bug."

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

It is recommended to be extremely cautious of any links posted on Discord, given the repeated breaches of official accounts using the platform. Users need to be cautious with any posted links. Always check any communication against multiple official sources of a project before proceeding.

Any time that you are promised any profit or benefit in exchange for an initial payment, smart contract approval, or deposit, pay special care as to whether the entity making that offer is trustworthy, actually who they say they are, and has the means to fulfill what they're promising. There are no magic algorithms providing guaranteed returns from trading or mining. Trading on average will lose money. Mining is expensive and complex. No one is going to immediately send back more than you sent them. NFT projects will rarely announce a surprise mint in only a single location. Are you fully prepared for the event your money is kept and nothing is delivered in return?

Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Platforms should be extremely cautious regarding the permissions which are granted via Discord, and limit the access levels to critical functionality. Discord should improve their security and offer multi-signature permissions for key functions. Ideally, public groups should be managed from an exclusive account which isn't used for anything else.

Ideally, performing key actions such as banning moderators or posting global announcements would be set up such that multiple approvals are required. In this way, it would be much more challenging to breach, particularly when combined with security training.

All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.

All wallets, minting functions, and critical infrastructure should be implemented with a multi-signature requirement, with a recommended minimum of 3 signatures required. This means that making important changes or approving spending will require the keys held by at least 3 separate individuals within the organization to approve. The multi-signature should be implemented at the lowest layer possible, all key holders should have security training, and all key holders should be empowered and encouraged to exercise diligence.

Never take for granted the limited knowledge of users of your service and their tendency to skip past provided information. It is recommended to design a simple tutorial and quiz for new users which explains the basics of seed phrases, strong password generation, secure two-factor authentication, common fraud schemes, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space. This tutorial and quiz should ensure their understanding and be a standard part of the sign-up or download process which is difficult or impossible to skip.

Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

Training platform operators can help avoid incidents such as these, and requiring the approval of two separate security sign-offs prior to a project to launch would likely catch any weak security practices.

All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.

Create a standard tutorial and quiz for all new cryptocurrency participants, which is required to be completed once per participant. This tutorial and quiz should cover the basics of proper seed phrase protection, strong password generation, secure two-factor authentication, common fraud schemes, how to detect and guard against phishing attacks, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space.

Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. 1.00 1.01 1.02 1.03 1.04 1.05 1.06 1.07 1.08 1.09 1.10 1.11 Shamanzs NFT - The Ones Who Know (Jul 14, 2022)
  2. 2.0 2.1 2.2 Shamanzs - NFT Mint Radar (Nov 25, 2022)
  3. 3.0 3.1 3.2 3.3 3.4 Shamanzs NFT - NFT Overview - Lucky Trader (Nov 24, 2022)
  4. 4.00 4.01 4.02 4.03 4.04 4.05 4.06 4.07 4.08 4.09 4.10 3 Best NFT Drops to Kick Off May 2022 - TechMoneyCulture (Nov 25, 2022)
  5. 5.0 5.1 5.2 5.3 5.4 Shamanzs NFT – NFTdroops (Jul 14, 2022)
  6. 6.0 6.1 zachxbt - "Shamanzs Discord hacked too." - Twitter (Jul 17, 2022)
  7. 7.0 7.1 Fake_Phishing5519 Wallet - Etherscan (Jun 20, 2022)
  8. 8.0 8.1 Shamanz - "We acted fast and in less than 5 minutes we could find the hack. Thanks for everyone helping. The ticket bot has been compromised, remove it from you server if you haven’t yet. We made our DC private." - Twitter Archive April 1st, 2022 12:56:24 AM MDT" (Apr 21, 2023)
  9. shamanzs - "We acted fast and in less than 5 minutes we could find the hack. Thanks for everyone helping. The ticket bot has been compromised, remove it from you server if you haven’t yet. We made our DC private." - Twitter Archive April 1st, 2022 12:56:39 AM MDT (Jul 17, 2022)
  10. Bored Ape Yacht Club, Other Major NFT Project Discords Hacked by Scammers - Vice News Archive April 1st, 2022 12:40:01 PM MDT (Apr 21, 2023)
  11. Bored Ape Yacht Club, Other Major NFT Project Discords Hacked by Scammers - Vice (Jul 17, 2022)
  12. Serpent - "TICKET TOOL IS HACKED" - Twitter (Apr 19, 2023)
  13. SerpentAU - "TICKET TOOL IS HACKED" - Twitter Archive April 1st, 2022 1:19:05 AM MDT (Apr 19, 2023)
  14. sv3nsei - "LIST OF HACKED DISCORDS: @BoredApeYC @doodles @KaijuKingz @shamanzs @Zooversenft LIST OF HACKED BOTS: - Arcane bot - Captcha bot - Ticket tool bot" - Twitter (Jul 17, 2022)
  15. Ticket_Tool - "A recent update I made to the add command had a bug allowing for some type of permission exploit.." - Twitter (Jul 17, 2022)
  16. Serpent - "can you unban me from the discord? ... I would like to look at the code to see what happened." - Twitter (Apr 21, 2023)
  17. Bored Ape Yacht Club (BAYC) officially confirmed the project's Discord channel has been hacked - CryptoHubK (Jun 19, 2022)
  18. Several huge NFT Discords hacked by scam attacks - TechRadar Archive April 4th, 2022 9:39:11 PM MDT (Apr 21, 2023)
  19. Several huge NFT Discords hacked by scam attacks - TechRadar (Jul 17, 2022)
  20. BAYC, Nyoki, Shamanz and other NFT projects suffer Discord hack - Candid Technology (Jul 17, 2022)
  21. The NFT Discord Channels are Attacked By Hackers, who seek to gain traction in Cryptocurrency - Game News 24 (Jul 16, 2022)
  22. Warning: Hackers Are Targeting Discord Bots to Rob Nft Users - NFTNow Archive April 8th, 2022 12:11:23 PM MDT (Apr 21, 2023)
  23. Warning: Hackers Are Targeting Discord Bots to Rob NFT Users - NFTNow (Jul 16, 2022)
  24. Fake_Phishing5520 Wallet - Etherscan (Jul 13, 2022)

Cite error: <ref> tag with name "chubk-8128" defined in <references> is not used in prior text.
Cite error: <ref> tag with name "vice-8528" defined in <references> is not used in prior text.
Cite error: <ref> tag with name "etherscan-8136" defined in <references> is not used in prior text.
Cite error: <ref> tag with name "serpenttwitter-8536" defined in <references> is not used in prior text.
Cite error: <ref> tag with name "tickettooltwitter-8537" defined in <references> is not used in prior text.

Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Shamanzs_Discord_Hack&oldid=4659"