Moonbirds Airdrop Phishing
Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' and 'General Prevention' sections to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
The Moonbirds NFT project suffered an attempted phishing attack. Attackers rebranded an account with 60k followers and used it to promote a supposed Moonbirds airdrop. Victims were taken to another website with a malicious smart contract designed to steal their funds.
It is unclear how successful the attack was. It is possible that no funds were taken, since there may have been a limited overlap in followers between the Moonbirds Twitter and the fake account, and commenting was allowed for most of a day which could have warned others about the scam before they participated.
About Moonbirds
Proof Collective is a podcast hosted by Kevin Rose[1][2], a prominent US tech investor and entrepreneur[3]. The podcast explores various aspects of the NFT space through interviews with influential figures[1]. The Proof Collective is a group of NFT collectors and artists who hold a membership NFT, granting them access to a private Discord, early podcast access, IRL (in real life) events, and exclusive collaborations[1][2].
Moonbirds are the official profile pictures (PFPs) of the PROOF Collective, with a higher supply than the membership NFT[1][2]. The Proof Collective consists of 1,000 NFT collectors who share investment opportunities and gain access to exclusive whitelists[3]. The team's experience is reflected in their transparent and consistent communication[3]. They engage with the community through regular updates, town halls, and seeking input on key decisions. The Proof membership offers utility through various NFT drops, whitelist access, and upcoming in-house NFT analysts[3]. The team's vision extends to Project Highrise, their own innovative and engaging metaverse, which has generated much excitement[3].
Moonbirds implement a "Proof-of-Time" mechanic to discourage flipping and reward long-term holding[1]. Users can nest their Moonbird NFTs to accrue points and unlock benefits, which are lost if the NFT is removed from the nest[1]. The project aims to foster a genuine community through incentivization and engagement[1]. The Moonbirds project has gained significant value, driven by the desire to be connected to Kevin Rose and the PROOF Collective. The future of the project promises more than just free stickers, with community-driven events and opportunities expected[1].
The strong community behind the Proof Collective played a significant role in the success of Moonbirds[3]. The collective consists of influential NFT collectors and artists, fostering a supportive and informed environment[3]. The gated nature of the community ensures streamlined communication and reduced noise compared to other open communities[3]. In addition to the Proof Membership pass, members received two Moonbirds NFTs, and they had the opportunity to participate in the Grails in-house NFT drop featuring renowned artists[3].
The Proof Collective, known for their Moonbirds NFT project, has become widely recognized in the NFT space due to its impressive launch and performance[3]. Moonbirds saw a remarkable surge in value, surpassing even popular NFT projects like Bored Ape Yacht Club and CryptoPunks[3]. The project raised $60 million upon launch and achieved a total trading volume of $238 million[3]. The team is focused on building products, pushing technological boundaries, and having fun while doing it[2].
The project is described on their homepage[4], promotional YouTube video[2], and OpenSea collection page[5].
Moonbirds are art collectors, creatives, and dreamers. Our community is a home for those seeking real connection as we all contribute to the future of web3 art, culture, and technology.
To some, the “art world” can feel daunting or stuffy; a cryptic pastime reserved for those with sufficient insight and deep pockets.
It doesn’t have to be that way. We’re in the midst of a cultural revolution—a digital renaissance—in which art is being transformed into something everyone can appreciate, own, and share. Our goal is to create unique experiences for collectors to connect with artists to own and champion their art. And to have a lot of fun along the way.
Moonbirds is the art collector’s PFP. Each of the 10,000 digital artworks in the collection grants holders access to unique experiences to connect with artists and own and champion their art. As a community, Moonbirds is a home for creatives, dreamers, and collectors seeking real connection as we all contribute to the future of web3 art, culture, and technology. Moonbird art is entirely in-chain, meaning the images are outputted directly from the smart contract, with no need for storage on IPFS or the like. There are also a number of customisable backgrounds available to holders based on their on-chain activity (such as other NFT holdings)—which disappear when the bird is transferred. You can check what each bird looks like with the different backgrounds (and see if they have any unclaimed rewards!) on our site.
The speaker emphasizes the importance of artist collaborations and announces plans for more Proof artist collaborations in the future.
"Moonbirds are more than just an avatar. They're a collection of 10,000 utility-enabled PFPs that feature a richly diverse and unique pool of rarity-powered traits. What's more, each Moonbird unlocks private club membership and additional benefits the longer you hold them. We call it nesting – because, obviously."
"Once inside, you will have exclusive access to Moonbird-related drops, Parliament meetups and IRL events, and access to upcoming PROOF projects; including the PROOF metaverse, codenamed Highrise."
"The money collected by via this Moonbirds project goes to PROOF Holdings, a True Ventures backed Web3 media company that brings together NFT artists and creators."
“We have big plans and this funding will be used solely to expand our team and launch new products — ultimately creating additional value for our community,” the project website says.
"BEWARE of scammers, we don't Instagram, have a public discord, or have any other URL other than http://moonbirds.xyz"
"To celebrate almost 60k followers on our official twitter account, we want to give you the biggest airdrop in the history of the NFT community. To find out more, go to the airdrop page."
"When people started calling out the tweet, they locked people’s ability to reply under the guise of “safety” so nobody else could highlight the scam."
"Birds, we are worried about your safety, and until Elon buys Twitter and stops these crazy scammers, we are closing comments to keep you safe. Will be open in 48 hours."
"The link opened to a fake airdrop page. Few people realized the scam until they read Moonbirds’ verified account and put up a post to beware of the scammers."
This is a global/international case not involving a specific country.
The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.
Include:
- Known history of when and how the service was started.
- What problems does the company or service claim to solve?
- What marketing materials were used by the firm or business?
- Audits performed, and excerpts that may have been included.
- Business registration documents shown (fake or legitimate).
- How were people recruited to participate?
- Public warnings and announcements prior to the event.
Don't Include:
- Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
- Anything that wasn't reasonably knowable at the time of the event.
There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
| Date | Event | Description |
|---|---|---|
| March 4th, 2022 5:22:24 PM MST | Future Proof Published | The Future PROOF video is published. Kevin Rose expresses excitement and gratitude for everyone's presence. He outlines three key areas of focus for the Proof Collective: building products, providing knowledge, and fostering community. He introduces Proof Deep Dives, which will offer concise and actionable PDF reports exclusively for Proof members, covering various NFT projects and launches. He also announces Proof Weekly Highlights, where research analysts will curate important Discord posts and NFT industry news into a weekly PDF summary[2]. |
| April 8th, 2022 3:57:00 PM MDT | Moonbirds Warning Tweet | Moonbirds Tweets a warning "BEWARE of scammers, we don't Instagram, have a public discord, or have any other URL"[6]. |
| April 18th, 2022 6:55:36 PM MDT | Moonbirds #6544 Stolen | The blockchain transaction for the theft of Moonbird #6544[7]. |
| April 18th, 2022 6:57:25 PM MDT | Moonbirds #6544 Resold | The stolen Moonbird is resold for 18 ETH[8]. The floor price at the time is 18.5 ETH[9]. |
| April 22nd, 2022 | JSuite Blog Post | A blog post covers over the events leading up to the Moonbirds NFT theft, including the Twitter account with 55k followers[9]. |
| April 22nd, 2022 1:59:00 AM MDT | PeckShield Post Twitter Warning | Peckshield reports on the phishing site[10]. |
| April 23rd, 2022 10:29:00 PM MDT | Twitter Report to Namecheap | Twitter user CryptoHoward reposts the warning and tags Namecheap's Twitter account[11]. |
| April 23rd, 2022 10:42:00 PM MDT | Namecheap Suspends Account | Namecheap reports that they have suspended the claim-moonbirds.com domain[12]. |
| April 25th, 2022 2:19:00 PM MDT | Tweet In MalwareBytes Blog | The timestamp of the tweet in MalwareBytes blog. TBD Unknown timezone[13]. |
| May 3rd, 2022 | MalwareBytes Blog Article | The phishing scam is given special mention in a blog post by MalwareBytes[13]. |
| May 26th, 2022 | Techsprout News Article | An article by Techsprout News reports that a total of 29 Moonbirds NFTs have been stolen[14]. TBD fill in more details. |
| August 18th, 2022 | Journal of Cyber Policy | The incident gets honourable mention in a Journal of Cyber Policy[15]. TBD fill in more. |
Total Amount Lost
The total amount lost is unknown.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
Ultimate Outcome
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
The Moonbirds #6544 appears to be blocked from trading on OpenSea due to suspicious activity[16].
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
Individual Prevention Policies
Never interact with any project except through that project's official website. Bookmark the official website of every project. Keep the majority of funds offline and never have more funds than necessary in your current active wallet.
Any time that you are promised any profit or benefit in exchange for an initial payment, smart contract approval, or deposit, pay special care as to whether the entity making that offer is trustworthy, actually who they say they are, and has the means to fulfill what they're promising. There are no magic algorithms providing guaranteed returns from trading or mining. Trading on average will lose money. Mining is expensive and complex. No one is going to immediately send back more than you sent them. NFT projects will rarely announce a surprise mint in only a single location. Are you fully prepared for the event your money is kept and nothing is delivered in return?
Every approval on Web3 is an opportunity to lose all of the funds present in your wallet. Take the time to review the transaction in full. Fully check over the balance, permissions, and entire address which you are interacting with. Do not trust that your clipboard or any website front-end is guaranteed to provide an accurate address or transaction status. Always perform a test transaction prior to the first high-value transaction in any session.
Private keys can be obtained through seed phrases, mnemonics, private key files, mobile synchronization screens, wallet export features, wallet backups, etc... Never ever send these to anyone else who you do not intend to allow to take all of your money. Attackers will use a wide variety of tactics to convince you like pretending to be your wallet software, pretending they work for the wallet software, or asking you to screen share. Don't fall for them.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Never take for granted the limited knowledge of users of your service and their tendency to skip past provided information. It is recommended to design a simple tutorial and quiz for new users which explains the basics of seed phrases, strong password generation, secure two-factor authentication, common fraud schemes, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space. This tutorial and quiz should ensure their understanding and be a standard part of the sign-up or download process which is difficult or impossible to skip.
Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
Create a standard tutorial and quiz for all new cryptocurrency participants, which is required to be completed once per participant. This tutorial and quiz should cover the basics of proper seed phrase protection, strong password generation, secure two-factor authentication, common fraud schemes, how to detect and guard against phishing attacks, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space.
Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ 1.0 1.1 1.2 1.3 1.4 1.5 1.6 1.7 What is Proof Collective & Moonbirds? - The Ape Well Archive September 25th, 2022 2:59:00 AM MDT (Nov 24, 2022)
- ↑ 2.0 2.1 2.2 2.3 2.4 2.5 2.6 Future PROOF (edited short edition) - YouTube (Aug 23, 2022)
- ↑ 3.00 3.01 3.02 3.03 3.04 3.05 3.06 3.07 3.08 3.09 3.10 3.11 Moonbirds and Proof collective — 5 Learnings from hottest thing in NFTs (from a Proof member) - Raffaela Rein Medium (Nov 18, 2022)
- ↑ Moonbirds: The official PROOF PFP (Aug 23, 2022)
- ↑ Proof Moonbirds Collection - OpenSea (Nov 24, 2022)
- ↑ moonbirds - "BEWARE of scammers, we don't Instagram, have a public discord, or have any other URL other than http://moonbirds.xyz" - Twitter (Aug 23, 2022)
- ↑ Theft Transaction For Moonbirds #6544 - Etherscan (Apr 18, 2023)
- ↑ Sale of Moonbirds #6544 - Etherscan (Apr 18, 2023)
- ↑ 9.0 9.1 JSuite - How I got my Moonbirds #6544 scammed, which spiraled the best weekend of my life into the worst weekend of my life. - Medium (Apr 18, 2023)
- ↑ PeckShield - "PeckShield has detected claim-moonbirds[.]com is a phishing site. Do *NOT* connect your wallet." - Twitter (Apr 18, 2023)
- ↑ CryptoHoward - "Crypto phishing scams threat" - Twitter (Apr 18, 2023)
- ↑ Namecheep - "Hello! We have suspended the abusive service" - Twitter (Apr 18, 2023)
- ↑ 13.0 13.1 Airdrop phishing: what is it, and how is my cryptocurrency at risk? - MalwareBytes (Jul 2, 2022)
- ↑ Phishing Attack Strikes ‘Moonbirds’ NFT Project, Details Here - Techsprout News (Aug 23, 2022)
- ↑ Airdrop phishing is scamming crypto investors- Cyber-Forensics.net urge investors to stay cautious - Journal of Cyber Policy (Aug 23, 2022)
- ↑ Moonbird #6544 - OpenSea (Apr 18, 2023)
Cite error: <ref> tag with name "malwarebytes-8947" defined in <references> is not used in prior text.