The Heart Project Discord Hack
Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
Just days after creating a humourous "you got rugged" campaign, giving away rugs to different users, many users had their hearts stolen by hackers. The Heart Project discord was attacked, and malicious links were used to trick users into granting access to their NFTs, which the attacker then resold.
This is a global/international case not involving a specific country. [1][2][3][4]
About The Heart Project
"The Heart Project is releasing a collection of 10,000 NFT’s living on the blockchain as collectibles." "The Heart Project is a community-run creative studio which enables passionate lovers of creativity to shape the art we interact with. 10,000 unique tokens on the Ethereum-based blockchain will serve as membership passes which grant access to creative contribution and shared ownership of our group creations. The Heart Project Creative Studio is designed to produce media with thousands of contributors on every project and grants ownership of our shared creations."
"The “Heart” character has 235 unique attributes which have been plugged into a computer generated AI with the possibility of creating over a trillion different combinations."
"Each Heart NFT is one of a kind based on its combination of characteristics." "When you are verified as a heart owner, you will gain membership access to our collaborative portal in our discord. This will allow you to decide on & define the creation of all Heart Project endeavors. We will begin with a music video, a clothing capsule, a game, and an album - but soon the community will take control of what comes next. Each project will amplify the unique voices of all members and be shaped by all of us. The group as a whole will also partner with musicians and brands to collaborate on creative projects. Together, we will vote on which outside projects and artists the Heart Project will work with."
"The Heart Project was created by Stefan Meier and Aidan Cullen in 2021. Over the past two years, Stefan has been developing a series of paintings and drawings inspired by the cartoons of his childhood. The character he felt most drawn to was a heart because of its simple and universal message of love, healing, and compassion. He teamed up with fellow artist Aidan Cullen, an avid cryptocurrency and NFT enthusiast, who helped grow the idea and put together a dedicated team to create a world and community surrounding the character. The combination of this classic symbol with Stefan’s distinct visual style is bringing something unique to the NFT world. The DIY aesthetic sets it apart from other NFT collections, and so do our goals for the project."
"On Sept. 27, Cullen and Meier dropped 10,000 NFTs for 0.08888 ETH (cryptocurrency currently worth roughly $370) each, as the key to become part of the community. The NFT itself is a computer-generated heart cartoon designed by Meier, with each one having randomly assigned attributes. They sold out in less than 30 seconds."
"Every Heart was 0.08888 ETH at mint, but they’re now selling for around 1 ETH on the secondary markets. The “Heart” character has 235 unique attributes that have been plugged into a computer-generated AI with the possibility of creating over a trillion different combinations. Most buyers will choose the Heart that they identify with the most. In the first collection, the Heart project team sold 5,000 during a presale, and 5,000 were released on the NFT drop date. The team will reserve 250 NFTs for giveaways to the community."
"The 4,900 “heart holders,” as Cullen and Meier call them, hail from 50 different countries and are part of a special Discord channel where they are privy to star-studded creative opportunities. Cullen and Meier are also aided by Brockhampton creative director Henock Sileshi (aka HK) and software engineer Luke Davis. Current ventures include producing and writing a song with Benny Blanco and Lil Dicky, creating music videos for Deb Never and Jean Dawson, a community-designed clothing capsule and a collaborative zine. When these projects are complete, they will also have a NFT component to them, allowing contributors to turn the collaboration into cash."
The Reality
TBD
What Happened
"The official Discord server of the NFT project The Heart Project was hacked. Scammers deleted most of The Heart Project's Discord channels and posted scam links."
| Date | Event | Description |
|---|---|---|
| January 31st, 2022 10:47:00 PM MST | Heart Rug Giveaway | The heart rug giveaway is finished with a winner announced to get a free "rug"[8]. |
| February 1st, 2022 4:53:00 PM MST | Main Event | Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. |
| March 6th, 2022 4:36:00 PM MST | Music Video Announced | The Hearts NFT announces a new music video[9]. |
Technical Details
"The official Discord server of the NFT project The Heart Project was hacked. Scammers deleted most of The Heart Project's Discord channels and posted scam links."
Total Amount Lost
The total amount lost is unknown.
Immediate Reactions
"The Heart Project project tweeted an official NFT Discord server went down on February 2. Scammers deleted many channels and posted scam links on the server. As a result, some users clicked on fraudulent links and lost money. The Heart Project said it would reimburse users for lost ETH. At present, the official is working hard to restore Discord and remind users not to click on any unknown links, and it would be best to disconnect the wallet."
"OUR DISCORD JUST GOT HACKED, DO NOT CLICK ANY LINKS WE ARE HAVING OUR TEAM DEAL WITH THIS RIGHT NOW"
"According to The Heart Project, some users clicked on fraudulent links and said they lost assets."
"Earlier today our Discord server was compromised." "This was a multi-person, coordinated attack that attempted to take advantage of our community." "The scammers were able to briefly take over our server, wipe most of our channels, and post a scam mint link. The spam link was up for seven minutes before we were able to regain control of the server." "During that time, a few users clicked the fraudulent link and reported that they were scammed."
"The Heart Project says it will reimburse users for lost ether." "We will be reimbursing the ETH taken from everyone who minted through the fake link posted in our server. Check our discord for more details."
"[W]e are sincerely sorry for anyone impacted. It is unfair and devastating to be a victim of this type of scam, and we are working around the clock to right this situation."
"While we’re working hard to get our Discord back up and running, this is a good time to remind everyone to enable Discord two-factor authentication and avoid clicking on any suspicious links." "We also recommend disconnecting your wallet from all websites it may currently be connected to. If you are unsure how to do so, there are many online resources that can walk you through the process."
Ultimate Outcome
TBD
The attack was featured on SlowMist[10].
Total Amount Recovered
The total amount recovered is unknown.
Ongoing Developments
TBD
Individual Prevention Policies
There are two ways that attackers can often steal funds. The first is through a malicious transaction, and the second is through the private key. In these types of Discord attacks, it's especially important to verify every transaction before signing.
Every approval on Web3 is an opportunity to lose all of the funds present in your wallet. Take the time to review the transaction in full. Fully check over the balance, permissions, and entire address which you are interacting with. Do not trust that your clipboard or any website front-end is guaranteed to provide an accurate address or transaction status. Always perform a test transaction prior to the first high-value transaction in any session.
Private keys can be obtained through seed phrases, mnemonics, private key files, mobile synchronization screens, wallet export features, wallet backups, etc... Never ever send these to anyone else who you do not intend to allow to take all of your money. Attackers will use a wide variety of tactics to convince you like pretending to be your wallet software, pretending they work for the wallet software, or asking you to screen share. Don't fall for them.
Users should be skeptical anytime a mint is promised for free or at an unrealistic price. A legitimate giveaway should be referenced in multiple places and come from the official domain of the service.
Any time that you are promised any profit or benefit in exchange for an initial payment, smart contract approval, or deposit, pay special care as to whether the entity making that offer is trustworthy, actually who they say they are, and has the means to fulfill what they're promising. There are no magic algorithms providing guaranteed returns from trading or mining. Trading on average will lose money. Mining is expensive and complex. No one is going to immediately send back more than you sent them. NFT projects will rarely announce a surprise mint in only a single location. Are you fully prepared for the event your money is kept and nothing is delivered in return?
The potential risk can be reduced by storing all NFTs or other tokens which you are not using offline. This limits what an attacker could take.
Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
The primary defense is to improve user education so that phishing attacks are ineffective. The heart project had also recently launched a similar legitimate giveaway, which likely did not help their community's state of care.
Never take for granted the limited knowledge of users of your service and their tendency to skip past provided information. It is recommended to design a simple tutorial and quiz for new users which explains the basics of seed phrases, strong password generation, secure two-factor authentication, common fraud schemes, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space. This tutorial and quiz should ensure their understanding and be a standard part of the sign-up or download process which is difficult or impossible to skip.
This is similar to other Discord hacks that have happened in the past. When all authentication factors are the same device, it's just a matter of breaching that device to perpetrate an attack. There is no reason to use Discord using a full-permissioned account when not necessary. A form of multi-sig would be the best setup, requiring approval from multiple people to perform key tasks like changing the administration.
All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.
An industry insurance fund could have extra resources to assist victims who lost funds due to this attack.
Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
The primary strategy is to reduce the effectiveness of attacks by ensuring that users have greater awareness.
Create a standard tutorial and quiz for all new cryptocurrency participants, which is required to be completed once per participant. This tutorial and quiz should cover the basics of proper seed phrase protection, strong password generation, secure two-factor authentication, common fraud schemes, how to detect and guard against phishing attacks, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space.
Further review of the security of the Discord server could have prevented the post.
All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.
An industry insurance fund can assist any victims.
Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ https://mobile.twitter.com/HeartNFTs/status/1488661897532493830 (Mar 13, 2022)
- ↑ https://mobile.twitter.com/HeartNFTs/status/1488743536195301377 (Mar 13, 2022)
- ↑ The Heart Project Founders on Building a Creative NFT Community - Variety (Mar 13, 2022)
- ↑ This 15-Year-Old Has a Record Deal, Justin Bieber as a Fan, and His Own NFTs (Mar 13, 2022)
- ↑ The Heart Project (Mar 13, 2022)
- ↑ https://opensea.io/collection/heartnfts (Mar 13, 2022)
- ↑ How To Buy The Heart Project NFTs • Benzinga Crypto (Mar 13, 2022)
- ↑ Heart NFTs - "Congrats@_GANANGANAN! You just got rugged ! Congrats. Dm us your address :)" - Twitter (Mar 13, 2022)
- ↑ HeartNFTs - "First sneak peak of our first HEART PROJECT MUSIC VIDEO for @prentiss4pres! Dropping next week" - Twitter (Mar 13, 2022)
- ↑ SlowMist Hacked - SlowMist Zone (Jun 26, 2021)
Cite error: <ref> tag with name "aliens-7158" defined in <references> is not used in prior text.
Cite error: <ref> tag with name "coincryptoradar-7159" defined in <references> is not used in prior text.
Cite error: <ref> tag with name "websiteplanet-8835" defined in <references> is not used in prior text.