Monkey Kingdom Discord Hack
Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
Monkey Kingdom's NFT launch was interfered with by fraudulent links, which pretended to allow users to mint NFTs for the project. The malicious links were sent from the official channel of the project. Heavy losses were taken, reportedly up to $1.3m USD.
This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9][10][11][12]
About Monkey Kingdom
"Monkey Kingdom is one of the known “Bluechip” projects in Solana NFT space, currently sitting at 45 SOL FP, but reaching the floor price up to 100 SOL (~$18,000)."
"Monkey Kingdom's first collection (Gen 1) - 2,222 uniquely generated 32x32 pixels NFTs on the Solana Blockchain. Daily $PEACH token airdrop, staking, breeding, metaverse development and real world exclusive meet-ups and merch collabs. Gen 2 - Diamond Baepes (on Solana) Gen 3 - Monkey Legends (on Ethereum)"
"There was a scheduled party with Steve Aoki to celebrate the new minting collection."
The Reality
"The[ Monkey Kingdom project] reported earlier that malicious links were spreading via DM, so they announced to not click anything except the official announcement channel."
Many fake bots exist online which attempt to gain access to the Discord accounts of cryptocurrency service administrators. These can then be used to later manage the group or post announcements.
"Once you interact with these fake bots they will snag your discord token, giving them instant access to your account without 2FA or your password."
What Happened
On December 21st, 2021, "users of Solana-powered NFT projects Fractal and Monkey Kingdom faced phishing fraud via the official servers."
"[B]ut it ended up really bad." "Just before the real mint, a big hack happened over the Monkey Kingdom Solana NFT project. Over $1.2 million [was] hacked from thousands of people who tried to mint and some individuals are reporting that they lost 650 SOL (~$100,000)."
| Date | Event | Description |
|---|---|---|
| December 21st, 2021 12:08:05 PM MST | Reddit Discussion | News of the incident was shared on Reddit[13]. Community reactions to the incident varied. Some community members clarify that this wasn't a hack but rather a scam. Others discuss the technical details of how the scam occurred. Concerns were raised about Discord bots being compromised, with some speculating that it could be an inside job. Community members stress the importance of using burner wallets for minting NFTs. There was a debate about personal responsibility, with some suggesting that users should exercise caution and double-check links before proceeding. Some community members express sympathy for the victims and recommend using hardware wallets for securing significant cryptocurrency holdings. Overall, the community emphasizes the need for better security practices and awareness to prevent similar scams. |
Technical Details
"[B]ut it ended up really bad." "Just before the real mint, a big hack happened over the Monkey Kingdom Solana NFT project. Over $1.2 million [was] hacked from thousands of people who tried to mint and some individuals are reporting that they lost 650 SOL (~$100,000)."
"This seems like a well-planned attack." "[It] seems that [a] malicious bot sent an official announcement with a malicious link, which looked exactly like the original website." "[T]he malicious bot sent the announcement from the official channel, and people were rushing like crazy to be the first one to mint. They also reported a DDOS attack on their website, which made it unavailable, just before the mint."
Total Amount Lost
"Over 7,000 SOL ($1.2 million) got lost." "According to a report, hackers were able to steal crypto worth $150,000 and $1.3 million from Fractal and Monkey Kingdom NFT holders, respectively."
The total amount lost has been estimated at $1,300,000 USD.
Immediate Reactions
The issue was also discussed on Reddit.
Reddit Discussion Thread
The incident was shared in Reddit[13]. Community reactions to the incident varied.
- Some community members clarify that this wasn't a hack but rather a scam, highlighting that the victims believed they were sending money to the real mint but were deceived.
- Others discuss the technical details of how the scam occurred, explaining that a scammer posted a fake mint link on the official Monkey Kingdom Discord server, leading users to approve a sweeper contract that drained their wallets.
- Concerns are raised about Discord bots being compromised, with some speculating that it could be an inside job.
- Community members stress the importance of using burner wallets for minting NFTs and interacting with suspicious websites to prevent such incidents.
- There's a debate about personal responsibility, with some suggesting that users should exercise caution and double-check links before proceeding.
- Some community members express sympathy for the victims and recommend using hardware wallets for securing significant cryptocurrency holdings.
- Overall, the community emphasizes the need for better security practices and awareness to prevent similar scams in the future.
"This seems like a well-planned attack." "[It] seems that [a] malicious bot sent an official announcement with a malicious link, which looked exactly like the original website." "[T]he malicious bot sent the announcement from the official channel, and people were rushing like crazy to be the first one to mint. They also reported a DDOS attack on their website, which made it unavailable, just before the mint."
"Since minting such a big project is a race of fast fingers, a lot of people didn’t pay attention to what is going on. The website asked for permission from a Phantom wallet, and it actually drained all SOL from their wallet."
"Guys I got drained 650 $SOL. It is one my biggest mistake. I am always recommending people using burner but I was nervous and fomo the Monkey Kingdom Mint. Never thought it was not a legit mint link in official discord. It is important money to my family: my wife, my son."
"The[ Monkey Kingdom team] are investigating with Discord developers what happened, and also said they will make it up to all victims, but let's see what will happen."
Ultimate Outcome
Investigation With Discord Developers
"The[ Monkey Kingdom team] are investigating with Discord developers what happened, and also said they will make it up to all victims, but let's see what will happen."
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
Ongoing Developments
TBD
Individual Prevention Policies
The primary issue is around approval of the malicious transaction. While the announcement was in the official Discord channel, it directed users to a malicious a non-official website. Furthermore, the specific transaction was malicious and drained funds from wallets.
Every approval on Web3 is an opportunity to lose all of the funds present in your wallet. Take the time to review the transaction in full. Fully check over the balance, permissions, and entire address which you are interacting with. Do not trust that your clipboard or any website front-end is guaranteed to provide an accurate address or transaction status. Always perform a test transaction prior to the first high-value transaction in any session.
Avoid the use of smart contracts unless necessary. Minimize the level of exposure by removing or withdrawing assets whenever possible. Aim to choose smart contracts which have obtained third party security audits, preferably having been audited by at least three separate reputable firms. Pay attention to the audit reports, which smart contracts are covered, and whether the smart contract has been upgraded or modified since the report. Ensure that any administrative functions with the ability to remove funds from the smart contract are under the authority of a multi-signature wallet which is controlled by at least three separate and reputable entities.
Losses could be massively reduced by using a separate wallet for all minting with only a small balance. Other assets and NFTs can then be transferred to cold storage for safe keeping.
Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
The primary issue was the breach of an official channel of a major NFT project. This could have been avoided with better security of the channel, which had been independently validated.
All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.
One very effective way of setting up the Discord permissions would require multiple signatures to approve any announcements. In this way, it becomes exponentially challenging for an adversary to post a fraudulent link.
All wallets, minting functions, and critical infrastructure should be implemented with a multi-signature requirement, with a recommended minimum of 3 signatures required. This means that making important changes or approving spending will require the keys held by at least 3 separate individuals within the organization to approve. The multi-signature should be implemented at the lowest layer possible, all key holders should have security training, and all key holders should be empowered and encouraged to exercise diligence.
Cryptocurrency users could also have protected themselves through better education. This can provide an understanding of the risks of fake mint phishing attacks and to double check the official URLs of all projects.
Never take for granted the limited knowledge of users of your service and their tendency to skip past provided information. It is recommended to design a simple tutorial and quiz for new users which explains the basics of seed phrases, strong password generation, secure two-factor authentication, common fraud schemes, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space. This tutorial and quiz should ensure their understanding and be a standard part of the sign-up or download process which is difficult or impossible to skip.
An industry insurance fund could assist affected users in events where an attack is still successful. While this is a discretionary process, it's likely in clear fraud events like this, all losses could be covered.
Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
The primary issue was the breach of an official channel of a major NFT project. This could have been avoided with better security of the channel, which had been independently validated.
All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.
Cryptocurrency users could also have protected themselves through better education. This can provide an understanding of the risks of fake mint phishing attacks and to double check the official URLs of all projects.
Create a standard tutorial and quiz for all new cryptocurrency participants, which is required to be completed once per participant. This tutorial and quiz should cover the basics of proper seed phrase protection, strong password generation, secure two-factor authentication, common fraud schemes, how to detect and guard against phishing attacks, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space.
An industry insurance fund could assist affected users in events where an attack is still successful. While this is a discretionary process, it's likely in clear fraud events like this, all losses could be covered.
Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ Warning: Hackers Are Targeting Discord Bots to Rob NFT Users (Jul 16, 2022)
- ↑ Tradegrow comments on Over 7,000 SOL ($1.2 million) got lost on Solana NFT mint due to a hack that happened on the Discord channel (Oct 3, 2022)
- ↑ @MonkeyKingdom Twitter (Nov 15, 2022)
- ↑ Monkey Kingdom️ (Nov 18, 2022)
- ↑ Monkey Kingdom NFT Hack - $1.2 million worth Solana got stolen | Vanila Blog (Nov 18, 2022)
- ↑ @commenstar Twitter (Nov 18, 2022)
- ↑ Whois Lookup Captcha (Nov 18, 2022)
- ↑ Monkey Kingdom - Magic Eden (Nov 18, 2022)
- ↑ @MonkeyKingdom_ Twitter (Jun 1, 2023)
- ↑ @MonkeyKingdom_ Twitter (Jun 1, 2023)
- ↑ @MonkeyKingdom Twitter (Jun 1, 2023)
- ↑ Solana-Based Hacked Monkey Kingdom Has a Phishing Lesson for NFT Buyers (Jun 1, 2023)
- ↑ 13.0 13.1 Over 7,000 SOL ($1.2 million) got lost on Solana NFT mint due to a hack that happened on the Discord channel - Solana Reddit (Jun 2, 2023)