Like scams and rug pulls in the DeFi, the NFT market also experiences a few hacks every now and then. Last night, the Creature Toadz NFT collection got scammed by a hacker who used a phishing webhook to create an operational error in the discord server. One of the main moderators got tricked by the hacker and lost access to the server, making it extremely easy for him to post any message on any channel. In other words, this was not even a proper hack. The discord webhook enabled him to leak the fake URL. A detailed thread on this is given here.
People who minted their NFTs paid to an unknown account that had total control over the discord server. For about 45 minutes, the team could not do anything. But by then, the ones who clicked on the phishing link had already lost nearly $350,000 or 90 ETH.
The most surprising part about all this is that the hacker returned the full money in less than 8 hours after the attack. We also saw him interact on Twitter with Andrew Wang to discuss how he compromised the entire server and why he returned the money. From what I hear in this video, it seems as if he was playing a game to see whether this attack would work or not. However, when the team verified the website registration, they found out he created a phishing site on Oct 1. That was 20 days ago!
On Twitter Spaces, the hacker revealed he was 17 and was scared of how big this thing would become in the future. He also repeatedly mentions he had no intentions of running away with that much money. Along the same lines, he praises the team and their work to build a wonderful project and a passionate community. At first, everyone was critical of him, but later, they decided not to press any charges, as the money was fully returned.
In terms of the mint, all the NFTs of Creature Toadz are safe. The hacker hosted a JavaScript file on the mint site and sent 0.1 ETH to the specified wallet. He did not interact with the actual contract. However, it is still important to double-check every site connected in Metamask.
In conclusion, this should be a learning lesson for everyone involved in the NFT space. There have been so many instances where hacks are repeated with different collections, and no one notices. This hacker literally told what his game plan was and also mentioned it was not hard.
Now, imagine if an experienced hacker who has got all the tools, unlike this 17-year old, tries to enter the NFT space and start compromising projects. I bet that person would not return the money. So it is becoming more and more important for collections to operate in the best way possible and only conduct minting when everything is checked from all corners. I am happy everyone is getting back their funds, but imagine if it was not that case.

Born and brought up in India, Karthikeya Gutta is a crypto journalist and freelance contributor for ItsBlockchain. He covers various aspects of the industry with in-depth analysis and research. His passion towards blockchain and crypto ecosystem is mainly because he believes it can really change the world and help millions of people.
Subscribe to get notified on latest posts.