Wizard's Pass Discord Hack

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Wizard's Pass Homepage

Wizard Pass is a service offering access to an NFT trading community with advanced tools, whitelist opportunities, automated calendars, and more. Wizard Pass recently experienced a Discord-related hack. The severity of the hack was downplayed initially, which may have contributed to more valuable NFT tokens and Ethereum being stolen during the heist. Wizard Pass' founder later responded, apologizing to the victims and confirming that the project's Discord server is back in operation. They are also actively reaching out to affected individuals.

This is a global/international case not involving a specific country.[1][2][3]

https://twitter.com/WizardPassNFT/status/1503391119605915655

https://twitter.com/WizardPassNFT/status/1503391125687648270

https://twitter.com/WizardPassNFT/status/1503294784278253576

https://twitter.com/WizardPassNFT/status/1503391121124298767

https://twitter.com/WizardPassNFT/status/1503391122680426503

About Wizard's Pass

"WIZARD PASS - Get access to the best NFT trading community in the world. Hot Alpha, cutting edge NFT trading tools, whitelist opportunities, automated calendars and alerts, and so much more!"

"Sick of wasting time researching projects? Sick of rug pulls? Our tools are fully automated so everyday you will get live notifications of NFT launches including links and important minting info!"

"As a valued member of our community you will get the first opportunity to Whitelist for popular upcoming NFT projects! You will also get significant discounts on the best rarity, sniping, and analytics tools currently available. As our social media presence grows we will get even better collaboration opportunities - these will be shared with our Wizard Pass holders!"

"We regular update our community on hot new alpha. Be first, be ready as these little nuggets could help you make 5X or even 10X flips! Great for those with more limited cashflow."

"Our aim is to provide so much utility with our Wizard Pass it would be literally impossible to consider selling one (unless you really needed the liquidity!). As such we have decided to limit the supply, after our launch no more will ever be minted and there are no yearly renewals or subscriptions. This is so that our members can all benefit from our growth and development."

Homepage: [4]

About Discord

"Discord has become a hub for NFT conversations, collaboration, and enjoyment in more ways than one. Discord servers range in size from two members to projects creating multiple channels due to space. Many people believe that Discord is one of the critical tools that have helped NFTs become what they are today."

The Reality

Discord is regularly involved with security breaches.


NFT Discord servers have become a crucial part of the NFT community, but they are increasingly vulnerable to hacks, causing significant financial losses to investors. Discord serves as a central hub for NFT discussions, collaboration, and community engagement, making it an essential tool for NFT projects.[5]

The popularity of Discord in the NFT space has made it an attractive target for hackers and malicious actors. Gaining access to NFT project Discords can be as simple as clicking a link, and this ease of entry has led to an increase in Discord-related thefts. As a result, NFT Discord servers are facing rising security challenges, and hackers are becoming more sophisticated.[5]

One recent example of an NFT Discord hack involved Wizard Pass, where valuable NFT tokens and Ethereum were stolen. The handling of the breach by the project team was criticized, as they downplayed its severity. This incident highlighted the need for better security measures and communication within the NFT community.[5]

As NFTs continue to gain popularity and attract more money, security concerns in Discord servers persist. NFT project owners and administrators must take steps to secure their servers, limit participation by unknown individuals, and monitor activities to prevent future hacks. Finding long-term solutions to secure these servers is crucial for the NFT ecosystem's safety.[5]

What Happened

"Wizard Pass is one of the most recent victims of NFT Discord-related heist. What stands out the most about the Wizard Pass discord hack is that the team behind this project downplayed the severity of the hack, which may have contributed to more valuable NFT tokens and Ethereum being stolen during the heist."

Key Event Timeline - Wizard's Pass Discord Hack
Date Event Description
March 3rd, 2022 3:49:00 AM MST Hacking Discord Uncommon Wizard's Pass foreshadows their own Discord being hacked, posting a Tweet about how "official pages/discord for an NFT collection can get hacked" which they say is "[u]ncommon but still happens". They also spell out their process that "if an official discord is hacked they usually immediately alert the community on twitter, instagram, youtube, etc."[6]
March 13th, 2022 11:16:00 AM MDT Twitter Giveaway Announced Wizard's Pass announces a "5 WL SPOTS GIVEAWAY FOR MARTIAN PREMIER LEAGUE" via Twitter, which appears to be a legitimate giveaway they are running[7].
March 13th, 2022 8:22:59 PM MDT First Fake Mint The first blockchain transaction attempting to mint the fake Wizard's pass.
March 13th, 2022 10:51:00 PM MDT Serpent Tweet Serpent reports on the discord compromise on Twitter[8]. He reports that after the users sends 0.1 ETH, they will be requested for permissions to empty their wallet.
March 14th, 2022 12:51:00 AM MDT Twitter Warning Wizard Pass warns the community TBD[9].
March 14th, 2022 10:30:56 AM MDT Final Discord Mint The final mint which is in the cluster related to the compromised Discord.
March 15th, 2022 2:52:07 AM MDT NFTEvening Article NFT Evening reports on the Discord hack[10].
March 15th, 2022 8:37:39 AM MDT Another Minting Transaction Another user is tricked into minting, likely not related to the discord.
March 15th, 2022 8:24:14 PM MDT NFT News Today Article NFT News Today publishes on the situation[5].
March 20th, 2022 7:09:50 AM MDT Final Minting Transaction It appears that there was stilla minting transaction here.

Technical Details

"What stands out the most about the Wizard Pass discord hack is that the team behind this project downplayed the severity of the hack, which may have contributed to more valuable NFT tokens and Ethereum being stolen during the heist."

Transactions: [2][3]

Technical Analysis By Serpent

[8][11]

1/ In this particular case, @WizardPassNFT's discord was compromised. However, this isn't just a regular fake minting website where you pay 0.1 ETH and get nothing, they have a script that finds your most valuable NFTs and requests token approval for them.

2/ After sending the 0.1 ETH, the website will come up with another Metamask prompt, where it will request token approval. After confirming the transactions, the victim is essentially providing full access over their NFTs and transferring them to the scammers wallets.

3/ This isn't something new, this has been happening for a while. Tons of BAYCs, Doodles, Clone Xs have been stolen through this method. This is what happened with @thelittlesnft resulting in 120+ ETH worth of assets being stolen.

4/ Lessons to be learnt; - Of course, all stealth mints are fake, especially when a project has already sold out. - Always keep your most valuable NFTs on a cold wallet. - Be VERY careful of what websites you confirm token approvals for. This is not something to do carelessly. - Projects need to prioritize Discord security. This isn't something to take lightly. - If you fall for this, go to http://revoke.cash straight away and revoke access from the contract.

Total Amount Lost

The total amount lost is unknown.

Immediate Reactions

Dape NFT co-founder @SerpentAU called out Wizard Pass on Twitter: “Yes, NFTs are being stolen but there’s no exploit or anything to be worried about. In this particular case, @WizardPassNFT’s discord was compromised. However, this isn’t just a regular fake minting website where you pay 0.1 ETH and get nothing; they have a script that finds your most valuable NFTs and requests token approval for them.”

"@SerpentAU continued, “After sending the 0.1 ETH, the website will come up with another Metamask prompt, where it will request token approval. After confirming the transactions, the victim is essentially providing full access over their NFTs and transferring them to the scammers’ wallets.”"

"Wizard Pass was not spared by #NFTTwitter as a myriad of NFT stakeholders and affected investors descended on the bird app to share their frustrations and disappointment with the handling of the Wizard Pass Discord hack.

[12]


NFT Twitter criticized Wizard Pass after the project downplayed a Discord hack that resulted in the loss of valuable NFTs and ETH. Dape NFT co-founder @SerpentAU revealed that the hack wasn't a typical exploit but involved a script that identified users' most valuable NFTs and requested token approval for them. Victims, thinking they were making a small payment, inadvertently gave scammers full access to their NFTs, transferring them to the scammers' wallets.[10]

Discord security was emphasized by Dape NFT co-founder, who recommended victims use revoke.cash to revoke access from the contract.[10]

Wizard Pass' founder responded to the criticism and apologized to the victims of the scam. The project's Discord server is now operational, and the team is in contact with affected individuals.[10]

The method used in this scam highlights the increasing trend of Discord hacks within the NFT community. NFT project owners are urged to be vigilant and implement security measures to prevent such attacks.[10]

Ultimate Outcome

On Monday, 14 March 2022, Wizard Pass’ founder responded to criticisms concerning the project’s handling of the breach. He apologized to the victims of the Discord breach. He shared that the project’s Discord server was taken down after the breach was back in operation, further assuring the public that his team is contacting affected individuals."

"Yesterday, the founder of Wizard Pass responded to the criticism. The founder also apologised to all those who fell victim to this scam. Furthermore, he confirmed that the project’s Discord server is back in operation and assured everyone that the team is contacting every person affected."

Total Amount Recovered

While the CEO mentioned they would be contacting all affected users, it is unclear if that meant any compensation would be delivered.

The total amount recovered is unknown.

Ongoing Developments

TBD

Individual Prevention Policies

Every approval on Web3 is an opportunity to lose all of the funds present in your wallet. Take the time to review the transaction in full. Fully check over the balance, permissions, and entire address which you are interacting with. Do not trust that your clipboard or any website front-end is guaranteed to provide an accurate address or transaction status. Always perform a test transaction prior to the first high-value transaction in any session.

Avoid the use of smart contracts unless necessary. Minimize the level of exposure by removing or withdrawing assets whenever possible. Aim to choose smart contracts which have obtained third party security audits, preferably having been audited by at least three separate reputable firms. Pay attention to the audit reports, which smart contracts are covered, and whether the smart contract has been upgraded or modified since the report. Ensure that any administrative functions with the ability to remove funds from the smart contract are under the authority of a multi-signature wallet which is controlled by at least three separate and reputable entities.

Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Never take for granted the limited knowledge of users of your service and their tendency to skip past provided information. It is recommended to design a simple tutorial and quiz for new users which explains the basics of seed phrases, strong password generation, secure two-factor authentication, common fraud schemes, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space. This tutorial and quiz should ensure their understanding and be a standard part of the sign-up or download process which is difficult or impossible to skip.

All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.

Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

Create a standard tutorial and quiz for all new cryptocurrency participants, which is required to be completed once per participant. This tutorial and quiz should cover the basics of proper seed phrase protection, strong password generation, secure two-factor authentication, common fraud schemes, how to detect and guard against phishing attacks, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space.

All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.

Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Discord compromise targets fans of the Wizard Pass project in a two-for-one scam that both accepted payments for fake NFTs and stole the NFTs that victims already owned (Sep 15, 2023)
  2. 2.0 2.1 Address 0xd3512893347745ab0b66aeda7bc867c7d2937209 | Etherscan (Sep 15, 2023)
  3. 3.0 3.1 Ethereum Transaction Hash (Txhash) Details | Etherscan (Sep 15, 2023)
  4. Wizard Pass Homepage (Nov 18, 2022)
  5. 5.0 5.1 5.2 5.3 5.4 Another Discord Hack Claims Victims - NFT News Today (Jul 15, 2022)
  6. WizardPassNFT - "Uncommon but still happens - official pages/discord for an NFT collection can get hacked. This is why double-checking on other socials is the best thing, if an official discord is hacked they usually immediately alert the community on twitter, instagram, youtube, etc." - Twitter (Sep 15, 2023)
  7. WizardPassNFT - "5 WL SPOTS GIVEAWAY FOR MARTIAN PREMIER LEAGUE" - Twitter (Sep 21, 2023)
  8. 8.0 8.1 Serpent - "In this particular case, @WizardPassNFT's discord was compromised. However, this isn't just a regular fake minting website where you pay 0.1 ETH and get nothing, they have a script that finds your most valuable NFTs and requests token approval for them." - Twitter (Sep 15, 2023)
  9. WizardPassNFT - "We are aware that the NFT Wizard Server has be hacked. Please DO NOT click on any links on Twitter OR in the server. We are working on a solution to fix this!" - Twitter (Sep 21, 2023)
  10. 10.0 10.1 10.2 10.3 10.4 Wizard Pass NFT Discord Compromised, Victims Lose Valuable NFTs - NFTEvening Archive March 15th, 2022 3:54:06 AM MDT (Sep 15, 2023)
  11. https://threadreaderapp.com/thread/1496293768542429187.html (Sep 21, 2023)
  12. https://twitter.com/kingtan/status/1503255570941300736 (Sep 21, 2023)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Wizard%27s_Pass_Discord_Hack&oldid=5054"