Nyoki Club Discord Hack

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Nyoki Club

Nyoki Club is a popular set of 2,732 NFT characters. On April 1st, their Discord server was attacked, with a fake link posted promising a cheap mint of 1,000 new Nyoki NFT characters. It is believed that the access token was compromised when one of the Admin accounts used the same token to validate on another Discord serer. It is unknown how many users were affected. Nyoki club has agreed to cover all losses.

About Nyoki Club

Nyoki Club is an NFT brand centered around the concept of Nyokies, unique little creatures that arrived on Earth when Comet Nyoki struck Mount Fuji millions of years ago[1]. Nyoki Club aims to stands out in the crowded NFT space by offering unique and randomly generated 3D characters[2]. Nyoki Club will have a total of 2,732 Nyokies, and their launch was scheduled for April 10, 2022[3]. The founders of Nyoki Club have created 2,732 3D and 4K resolution Nyokie characters, each with distinct features and an endearing appearance[1].

What sets it apart is that these NFTs will also be available as real-life 3D printed models, combining digital art with tangible collectibles[2]. Nyoki Club aims to stand out from others due to its unique features and community management[4]. The project consists of 8,888 randomly generated 3D characters, each of which is a one-of-a-kind artwork available for minting on the Ethereum Blockchain[4]. What sets Nyoki Club apart is that these NFTs will also be available as 3D printed models, combining digital and real-life collectibles[4]. The project has gained significant attention with over 74,000 followers before its release[4].

The team behind Nyoki Club has effectively managed their community by offering exclusive whitelist access through rare raffles and active participation in their Discord channel[4]. The community actively engages in governance decisions, with over 50,000 people voting on various matters[4]. Initially, the plan was to have 750 OG and 4,000 WL (Original Gangster and Whitelist) Nyokies, but they are now aiming for a 100% presale distribution, which will depend on the community's preference[3]. One mint is allowed for WL, while two mints are allowed for OG[3]. To get whitelisted, active and helpful community members may be suggested for whitelist status. Opportunities for whitelist consideration include fan art submissions, giveaways, and upcoming contests and games[3]. OG/WL roles are not permanent and can be revoked for various reasons, such as violating Discord server rules, being disrespectful, engaging in selling/buying of OG/WL spots, or being inactive[3]. It is encouraged to actively participate, engage with the community, and enjoy the Nyoki hype to maintain these roles[3].The project has formed partnerships with well-known entities like Hypebeast, Llamaverse, and Rarity Sniper, further boosting its reputation[4].

The roadmap for Nyoki Club includes several phases[1]. The roadmap of Nyoki Club includes the creation of the first fully 3D printed model and plans to collaborate with more artists to expand the collection in the future[4]. The community has placed trust in the founders and their partnerships, which have generated positive publicity. The team aims to release an NFT collection that pushes boundaries in terms of value and creativity, leveraging their partnerships to achieve this[4]. In Phase 1, the launch of the Kikai Capsule will allow Nyoki owners to mint for free and gain access to the Zen Gardens, while the Nyoki Badge will be available for free minting to everyone[1]. Phase 2 involves developing a fully detailed 3D Nyoki prototype to advance the production of Nyoki figures[1]. Phase 3 will introduce an online poll system for Nyoki holders to vote on important decisions, followed by Phase 4, which focuses on launching official Nyoki merchandise globally[1]. Phase 5 includes the production and marketing of 3D printed Nyoki figures for purchase using Nyoki Tokens[1]. Lastly, Phase 6 involves collaborations between Nyoki and selected artists, with a commitment to ongoing development and improvement in the future[1].

The project has reportedly garnered significant attention, with over 74,000 followers prior to its release[2]. The team has reportedly managed the community through exclusive whitelist raffles and an active and helpful Discord channel[2]. Nyoki Club gained fame by partnering with well-known projects and has a roadmap that includes creating more 3D printed models and collaborating with additional artists in the future[2].

Discord Public Minting Announcement

"We've decided to roll out public minting for 1,000 Nyokie NFTs up for mint as a thank you to all your guys' support." "As the Nyoki family, we always follow and support one another. Thank you to every one of you for your hard work and participation within this project."

The Reality

"Hackers are mainly posing a fake phishing scam using the Discord Bot to disguise the fake links as legitimate new offerings. Vice confirmed that the link links users to two crypto wallets, such as Fake_Phishing5519 and Fake_Phishing5520 on blockchain explorer Etherscan, and that both wallets have experience extensive activity over the past few days as the hackers try to launder their stolen cryptocurrency."

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

Nyoki Club used Ticket Tool. A phishing attack appeared on the Nyoki Club discord server and tricked multiple members into providing access to their wallets.

Key Event Timeline - Nyoki Club Discord Hack
Date Event Description
March 29th, 2022 7:56:00 AM MDT News Direct Press Release A press release is issued entitled "Why Nyoki Club is Here to Shake the World of NFTs" about the Nyoki Club calling it "one of the most sought-after NFT projects since the surge of NFTs in the last year"[2].
March 31st, 2022 11:24:00 PM MDT 0xGav.eth Reports Hack on Twitter Twitter user oxGav.eth reports the Bored Ape Yacht Club Discord is hacked[5].
March 31st, 2022 11:54:00 PM MDT ZachXBT Similarities Noted Twitter user ZachXBT reports on the similarities between the Bored Ape Yacht Club Discord post and a new attack onthe Doodles Discord post, suspecting that the same group is behind both attacks[6].
March 31st, 2022 11:58:00 PM MDT Serpent Suspects Captcha Bot Twitter user Serpent (formerly SerpentAU) reports having inside information from the hackers and that the official "Captcha Bot" is hacked. At this time, it is reported that Bored Ape Yacht Club and Doodle are both hacked. He also warns that many other servers will be hacked[7][8].
April 1st, 2022 12:32:00 AM MDT ZachXBT Report on Twitter Twitter user ZachXBT reports that Nyoki Club is "hacked as well now"[9].
April 1st, 2022 12:46:00 AM MDT Serpent Reports Ticket Tool Hack Twitter user Serpent (formerly SerpentAU) makes another post that it's "100% CONFIRMED" that "TICKET TOOL IS HACKED" along with screenshots of an "AUDIT LOG FROM DOODLES & SHAMANZS"[10][11].
April 1st, 2022 1:22:00 AM MDT sv3nsei Reports Multiple Bots Hacked Twitter user sv3nsei reports a list of hacked Discords (including Bored Ape Yacht Club, Doodles, Kaiju Kingz, Shamanzs, and Zooverse NFT) and a list of hacked Discord bots including Arcane Bot, Captcha Bot, and Ticket Tool Bot[12].
April 1st, 2022 1:34:00 AM MDT Ticket Tool Posts Tweet Ticket Tool posts an update Tweet that the problem was a recent update that "had a bug allowing for some type of permission exploit". The developer reported that he "reverted the update to the previous uncompromised version and will be looking into exactly how this happened"[13].
April 1st, 2022 2:06:00 AM MDT Ticket Tool Posts Tweet Again Ticket Tool again posts the same update (with no further clarification) in response to the thread by Jon_HQ[14]. This would be their last post for many months.
April 1st, 2022 12:35:00 PM MDT Vice News Article Published Vice News publishes an article on the situation[15], which includes that the Discord channels of platforms including Bored Ape Yacht Club, Nyoki, Shamanz, Doodles, and Kaiju Kingz were all hacked. It provides an excerpt of some of the phishing posts, some basic blockchain analysis, and mention of some other Discord attacks[16].
April 2nd, 2022 9:12:00 AM MDT Serpent Requesting Code Inspection Serpent requests to be unbanned from the Ticket Tool discord and that he be allowed to look at the source code to get more information[17]. His Tweet does not appear to have ever been responded to.
April 2nd, 2022 5:23:48 PM MDT CryptoHubK Article Published CryptoHubK published a summary of the situation. It is reported that hackers gained access to the Discord of Bored Ape Yacht Club, Mutant Ape Yacht Club, and Mutant Ape Kennel Club. The article included the PeckShield alert. Some information is later included on the Doodle NFT Discord attack, and the suggestion that this was responsible for the loss of Jay Chou's BAYC #3738. The article also includes general information on other Discord hacks, however it appears to incorrectly state the dates as March 1st for other attacks[18].
April 4th, 2022 10:39:11 AM MDT Tech Radar Article Published TechRadar publishes an article on the situation[19]. It includes Bored Ape Yacht Club, Nyoki, Shamanz, Doodles, and Kaiju Kingz. An example of the phishing tweet on Bored Ape Yacht Club is provided, as well as the response by Noyki Club. It gives some background on the NFT minting process, and mentions that all projects were quick to react to the situation. Information about the wallets were also included[20].
April 4th, 2022 10:48:00 AM MDT Candid Technology Article Published Candid Technology publishes an article on the situation. The article mentions Bored Ape Yacht Club, Nyoki, and Shamanzs as victims, as well as referencing attacks on Doodles and Kaiju Kingz as reported by ZachXBT. The reactions by platforms Nyoki Club and Bored Ape Yacht Club were included, as well as wallet addresses Fake_Phishing5519 and Fake_Phishing5520 and some of the attempts at mixing the proceeds[21].
April 4th, 2022 Game News 24 Article Published Game News 24 publishes an article that "Bored Ape Yacht Club, Nyoki and Shamanz have all tweeted warnings to users that their Twitter bots have been hacked and are advertising new, completely fake NFTs" and that "the link directs users’ crypto to a pair of crypto wallets that have been illegally laundering their ill-gotten gains"[22].
April 8th, 2022 12:11:23 PM MDT NFTNow Article Published NFTNow publishes an article on the situation[23]. It mentions Bored Ape Yacht Club, Shamanz, and Nyoki Club as the projects with their Discord channels attacked. Fake NFT links are included, and a specific quote of the announcements for Nyoki Club. Background on the funds, wallets, and some history of Discord attacks is also included in the article[24].
May 6th, 2022 5:45:00 AM MDT Serpent Bribery Accusation Twitter user Serpent reports that he is "[s]till waiting for an update" and "highly believe[s] this was a bribe"[25].
June 2nd, 2022 9:05:00 PM MDT Ticket Tool Launches Video Series In their first Tweet since the hack (after nearly 2 months of silence), Ticket Tool says it's "been a long time" and introduces users to watch the first "official video from [their] tutorial series" about how to set up Ticket Tool[26].

Technical Details

"BlockSecAlert tweeted that Nyoki Club's Discord account was attacked at 6:30 am (UTC) on April 1st. In line with what appears to be an ongoing trend with big NFT projects, the Nyoki Club hackers have been spreading links to fake minting sites."

"Although we were not using the hacked bots in our server, Attackers were able to send a fake mint website as an announcement by using one of the Founder's access tokens. We believe the token was recorded while founder was verifying himself in a different server."

Total Amount Lost

The total amount lost is unknown.

Attackers wallet is reportedly included FakePhishing_5519[27] and FakePhishing_5520[28].

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

"Bored Ape Yacht Club, Nyoki and Shamanz have all tweeted warnings to users that their Twitter bots have been hacked and are advertising new, completely fake NFTs. If users take users to legitimate NFT sites, the link directs users’ crypto to a pair of crypto wallets that have been illegally laundering their ill-gotten gains."

"Along with blue-chip projects like BAYC, and Doodles, our server was also compromised today due to a recent large-scale hack. We have taken everything under control in less than 30 minutes."

"We've tracked the transactions and confirmed that some of the members got scammed during the incident. Nothing to worry about, we are in contact with victims, and losses will be covered by Nyoki Club."

"Users are advised to stay alert at this time and refrain from clicking suspicious links posted on Discord servers." "Please deauthorize http://Captcha.bot from your discord account if you haven't already."

While Ticket Tool has not released an official announcement, they did offer this explanation: "A recent update I made to the add command had a bug allowing for some type of permission exploit. I've reverted the update to the previous uncompromised version and will be looking into exactly how this happened. The bot itself is not compromised beyond a very unfortunate bug."

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

It is recommended to be extremely cautious of any links posted on Discord, given the repeated breaches of official accounts using the platform. Users need to be cautious with any posted links. Always check any communication against multiple official sources of a project before proceeding.

Any time that you are promised any profit or benefit in exchange for an initial payment, smart contract approval, or deposit, pay special care as to whether the entity making that offer is trustworthy, actually who they say they are, and has the means to fulfill what they're promising. There are no magic algorithms providing guaranteed returns from trading or mining. Trading on average will lose money. Mining is expensive and complex. No one is going to immediately send back more than you sent them. NFT projects will rarely announce a surprise mint in only a single location. Are you fully prepared for the event your money is kept and nothing is delivered in return?

Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Platforms should be extremely cautious regarding the permissions which are granted via Discord, and limit the access levels to critical functionality. Discord should improve their security and offer multi-signature permissions for key functions. Ideally, public groups should be managed from an exclusive account which isn't used for anything else.

Ideally, performing key actions such as banning moderators or posting global announcements would be set up such that multiple approvals are required. In this way, it would be much more challenging to breach, particularly when combined with security training.

All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.

All wallets, minting functions, and critical infrastructure should be implemented with a multi-signature requirement, with a recommended minimum of 3 signatures required. This means that making important changes or approving spending will require the keys held by at least 3 separate individuals within the organization to approve. The multi-signature should be implemented at the lowest layer possible, all key holders should have security training, and all key holders should be empowered and encouraged to exercise diligence.

Never take for granted the limited knowledge of users of your service and their tendency to skip past provided information. It is recommended to design a simple tutorial and quiz for new users which explains the basics of seed phrases, strong password generation, secure two-factor authentication, common fraud schemes, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space. This tutorial and quiz should ensure their understanding and be a standard part of the sign-up or download process which is difficult or impossible to skip.

Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

Training platform operators can help avoid incidents such as these, and requiring the approval of two separate security sign-offs prior to a project to launch would likely catch any weak security practices.

All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.

Create a standard tutorial and quiz for all new cryptocurrency participants, which is required to be completed once per participant. This tutorial and quiz should cover the basics of proper seed phrase protection, strong password generation, secure two-factor authentication, common fraud schemes, how to detect and guard against phishing attacks, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space.

Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. 1.0 1.1 1.2 1.3 1.4 1.5 1.6 1.7 Home - Nyoki Club (Jul 14, 2022)
  2. 2.0 2.1 2.2 2.3 2.4 2.5 Why Nyoki Club is Here to Shake the World of NFTs - News Direct (Jul 14, 2022)
  3. 3.0 3.1 3.2 3.3 3.4 3.5 FAQ - Nyoki Club (Jul 14, 2022)
  4. 4.0 4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8 Why Nyoki Club is Here to Shake the World of NFTs - Yahoo Finance (Jul 14, 2022)
  5. 0xGav - "BAYC Discord hacked" - Twitter (Jun 19, 2022)
  6. zachxbt - "Both of the phishing sites are very similar. It has to be the same group behind Doodles & BAYC." - Twitter (Jun 19, 2022)
  7. SerpentAU - "BAYC & Doodles have already been hacked within the last 30 minutes but MANY MORE SERVERS WILL BE HACKED." - Twitter (Jun 19, 2022)
  8. MasonBeingMason - "april fools lul" - Twitter Archive April 1st, 2022 12:00:02 AM MDT (Apr 19, 2023)
  9. zachxbt - "Nyoki hacked as well now" - Twitter (Jul 17, 2022)
  10. Serpent - "TICKET TOOL IS HACKED" - Twitter (Apr 19, 2023)
  11. SerpentAU - "TICKET TOOL IS HACKED" - Twitter Archive April 1st, 2022 1:19:05 AM MDT (Apr 19, 2023)
  12. sv3nsei - "LIST OF HACKED DISCORDS: @BoredApeYC @doodles @KaijuKingz @shamanzs @Zooversenft LIST OF HACKED BOTS: - Arcane bot - Captcha bot - Ticket tool bot" - Twitter (Jul 17, 2022)
  13. Ticket_Tool - "A recent update I made to the add command had a bug allowing for some type of permission exploit.." - Twitter (Jul 17, 2022)
  14. Ticket Tool - "A recent update I made to the add command had a bug allowing for some type of permission exploit.." - Twitter (Apr 21, 2023)
  15. Bored Ape Yacht Club, Other Major NFT Project Discords Hacked by Scammers - Vice News Archive April 1st, 2022 12:40:01 PM MDT (Apr 21, 2023)
  16. Bored Ape Yacht Club, Other Major NFT Project Discords Hacked by Scammers - Vice (Jul 17, 2022)
  17. Serpent - "can you unban me from the discord? ... I would like to look at the code to see what happened." - Twitter (Apr 21, 2023)
  18. Bored Ape Yacht Club (BAYC) officially confirmed the project's Discord channel has been hacked - CryptoHubK (Jun 19, 2022)
  19. Several huge NFT Discords hacked by scam attacks - TechRadar Archive April 4th, 2022 9:39:11 PM MDT (Apr 21, 2023)
  20. Several huge NFT Discords hacked by scam attacks - TechRadar (Jul 17, 2022)
  21. BAYC, Nyoki, Shamanz and other NFT projects suffer Discord hack - Candid Technology (Jul 17, 2022)
  22. The NFT Discord Channels are Attacked By Hackers, who seek to gain traction in Cryptocurrency - Game News 24 (Jul 16, 2022)
  23. Warning: Hackers Are Targeting Discord Bots to Rob Nft Users - NFTNow Archive April 8th, 2022 12:11:23 PM MDT (Apr 21, 2023)
  24. Warning: Hackers Are Targeting Discord Bots to Rob NFT Users - NFTNow (Jul 16, 2022)
  25. Serpent - "Still waiting for an update on this. I highly believe this was a bribe." - Twitter (Apr 21, 2023)
  26. Ticket Tool - "Hey there everyone, it's been a long time hasn't it? Well, we are back with great news, we are launching our first official video from our tutorial series!" - Twitter (Apr 21, 2023)
  27. Fake_Phishing5519 Wallet - Etherscan (Jun 20, 2022)
  28. Fake_Phishing5520 Wallet - Etherscan (Jul 13, 2022)

Cite error: <ref> tag with name "chubk-8539" defined in <references> is not used in prior text.
Cite error: <ref> tag with name "gamenews24-8531" defined in <references> is not used in prior text.
Cite error: <ref> tag with name "aliensdotcom-8544" defined in <references> is not used in prior text.
Cite error: <ref> tag with name "nftnow-8532" defined in <references> is not used in prior text.
Cite error: <ref> tag with name "candidtechnology-8533" defined in <references> is not used in prior text.
Cite error: <ref> tag with name "techradar-8534" defined in <references> is not used in prior text.
Cite error: <ref> tag with name "vice-8528" defined in <references> is not used in prior text.
Cite error: <ref> tag with name "etherscan-8136" defined in <references> is not used in prior text.
Cite error: <ref> tag with name "etherscan-8490" defined in <references> is not used in prior text.
Cite error: <ref> tag with name "serpenttwitter-8536" defined in <references> is not used in prior text.

Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Nyoki_Club_Discord_Hack&oldid=4658"