NFT pet breeding game Axie Infinity said on Twitter that a scammer tricked a member of its support staff into sharing his account information on Tuesday. This resulted in direct access to the staff member’s Discord account, despite two-factor authentication being enabled.
The hacked account enabled the cybercriminal (or cybercriminals) to spam fake Axie Infinity websites that claimed to offer exclusive sales. The URLs were propagated by a Discord bot and sent via the play-to-earn game’s announcement channels so that they appeared to be legitimate. Over 155 Axie players were tricked into visiting the fake pages and connecting their crypto wallet, leading to a total loss of more than PHP 5 million (USD 98,600), according to the Manila Bulletin.
The developers of Axie Infinity plan to reimburse the users whose assets were stolen. They will also reduce the number of people who can tag all community members on its Discord server. The team said it will work with Discord to address the security issues, and review security practices with its team members.
“Those who interacted with the smart contract lost the money they sent. We have reviewed the smart contract and concluded that it does not impact their seed phrases,” Axie Infinity’s developers said in a tweet. A seed phrase is a unique set of 12 to 24 words that gives a user access to their crypto wallet.
Discord is a group chat platform that is popular with gaming communities worldwide. It has 140 million users and has been an increasingly popular channel for scammers and hackers to target their marks.
In a report by cybersecurity firm Sophos, the number of unique URLs hosting malware on Discord’s content distribution network rose by 140 times in the two months ending in mid-July, compared to the same period last year.
The report said that Discord offers “a persistent, highly available, global distribution network” for malware created or used by cybercriminals. “It also provides an ever-growing, target-rich environment for scammers and malware operators to spread malicious code to steal personal information and credentials through social engineering.”
“Discord is not the only service being abused by malware distributors and scammers by any means, and the company is responsive to take-down requests. But Discord users should remain vigilant to the threat of malicious content on the service, and defenders should never consider any traffic from a cloud service as inherently ‘safe’ based on the legitimacy of the service itself,” the report read.