Multiple Targets 

Discord Administrators/Moderators and NFT project members were targeted today in a well-planned social engineering attack. Attackers managed to take over sessions of some privileged Discord accounts and used them to send messages to servers/users in Discord. Since the messages and announcement came from moderators’ accounts, it is likely that users will trust the content of their messages. 

As narrated by kekwin.eth on twitter, the threat actors were able to grab the session token of his Discord account by luring him to a screen sharing session. From that point, it only took a screen grab of the Developer Tools logs in Discord to bypass authentication, including 2FA, and take control of the account.  

Axie Infinity Fake Announcement 

A fake announcement was sent to the official Axie Infinity Team Discord channel. Though the announcement was retracted as fast as the admins/moderators could, a couple of fast users were able to click on the links and were duped into purchasing a fake NFT for Axie Infinity. 

As stated on their Discord channel, a staff member was similarly tricked into giving away his Discord access through the network logs of Chrome’s Developer Tools. 

The image above is of the notice from Discord of the hacked staff member account; note the similarity to kekwin.eth incident.

It’s likely that the attacks are by the same group since they have very similar approaches and close timelines. Although steps have been taken to secure Discord channels and accounts, threat actors are always finding ways to trick unsuspecting users. If users train to learn how to secure their accounts and follow security guidelines, it could lead to a more stress-free online experience.

Reference:

https://twitter.com/kekwin7/status/1454902689029103618

https://twitter.com/notthetechguy/status/1454332297285492742

https://twitter.com/Zeneca_33/status/1450695495232462849/photo/1

https://twitter.com/fiveoutofnine/status/1450705651508776967

IOC:

https[:]axieinfinities[.]com