Ozzy Osbourne, a famous musician and TV personality from the 70’s decided to launch a new NFT project called CryptoBatz. “I’ve been trying to get in on the NFT action”[2] said Ozzy, after his wife Sharon didn’t allow him to buy a Bored Ape NFT for christmas, Ozzy decided to “Make his own”[2] .
The collection consisted of 9666 NFT bats, each of which have their own unique colorway and design. Below are some examples of the NFT’s up for grabs.
Stutter Systems, the company who was helping Osbourne launch the NFT project, setup a discord server to gain leeway and popularity among the crypto community, this would also serve as a place for interaction between fans and crypto nerds alike. Everything seemed to be going well until a group of scammers noticed a crucial mistake that left a back door open.
The Crypto Batz project had, at some point, changed it’s old Discord URL for a new one. Usually this isn’t an issue, however, Stutter Systems forgot to delete several tweets that contained links to the old URL!
Before they knew it, scammers had setup a new Discord server using the old Crypto Batz URL. Victims naturally came across and clicked on the links on the official Stutter Systems Twitter account which redirected them to the bogus Discord server.
Once they had joined the server, they were prompted to link their crypto wallet address and provide their “seed phrase”, a series of words that form a password for crypto wallets. The scammers then took this information and began emptying crypto wallets of unsuspecting individuals.
Shortly after, Stutter Systems realized what had happened and they quickly got in contact with discord to take down the fake server. In the short time that the fake discord server was up, over 1330 users had joined, many of which submitted their information.
It’s estimated that over $150,000 US dollars worth of Ethereum was stolen within the short time frame that the server was up. Since then, Stutter Systems has been attempting to reach out to users effected by the scam in the hopes of reimbursing what had been stolen from them.
The team behind the scam claimed that “they are not responsible for Discord’s mistakes”[2] and that not taking advantage of such a situation would be allowing poor security practice.. So who do you think is at fault? Discord for leaving a backdoor open? Stutter Systems for not deleting links to old URL’s? or the Cyber criminals for taking advantage of the situation?
Regardless of who’s to blame, pointing fingers doesn’t help the victims. And it goes to show that even a project run by “known entities can easily wander into a bad NFT situation”[1] .
Sources:
- https://threatpost.com/ozzy-osbourne-nfts-cryptocurrency/177969/
- https://www.rollingstone.co.uk/music/news/exclusive-ozzy-osbourne-announces-nfts-cryptobatz-collection-8800/
- https://blog.malwarebytes.com/crypto/2022/01/discord-scammers-go-cryptobatz-phishing/
Interesting post. I think all the parties involved here can take at least a small amount of the blame. However, this raises bigger concerns. Newly-founded markets like the NFT market is inevitably bound to hackers and scammers since it’s much easier for people to fall for new scams that have not been seen before. I think more extensive cyber security measures should be taken into account when launching new projects and markets to the public. Also, scam warnings should be issued and scam awareness should be raised especially when there are teens involved in the NFT market.
Thanks Omar,
Yes new markets like NFT’s can draw in very large crowds. Crowds that are not familiar with what the market is and what exactly they are buying, with the ever lasting presence of social media, every new opportunity to make money results in a lot of Hype but not a lot of research!
I like this post! It’s quite surprising to me that a scam of this kind was able to happen. I had no idea it was possible for the link to a discord server to be purposefully made to match an old one. Hopefully discord patches that as soon as possible so that something like this won’t happen again. It definitely seems a bit obvious now that it’s a problem, but hindsight is 20/20 of course. I don’t know of any specifics, but I’m sure this has been done with old website URLs that are still linked in old posts on twitter or similar. I suppose one of the best ways to prevent these kinds of things is just to raise awareness of it so people always know to double check that they’re truly following a link to a trusted place, since preventing old URL’s from being re-used seems a bit overkill.
This is a good example of the importance of verifying what you are entering your private information into. There are a lot of phishing scams such as these and those who are not familiar with protecting their seed phrases are at risk of losing all of their digital assets. This is the modern equivalent of not reading the terms and conditions when providing access to one’s wallet, whether by giving away seed phrases or signing away access. There are a lot of very well cloned sites that await unsuspecting users to enter their credentials and we should be wary of these.
Wow! This sounds like an extreme example of a phishing scam! I have to wonder why people would be so eager to give out their crypto wallet information on a discord server. Maybe this calls attention to a need for public education on best practices for cryptocurrency security.
Phishing scams are evolving! Email phishing attacks are usually relatively easy to identify (but not always!). Phone scams can be laughably obvious. Maybe because people don’t expect these scams on Discord, they aren’t as critical about their security.
This is a very interesting post. Scammers will continue to evolve as new systems and technology become available, so I am prompted to believe that the source of the problem is due to both Discord and Stutter Systems. There should have been an automatic de-activation system when a new link/server is up. Nevertheless, these kinds of schemes will always find loopholes and cracks to do exploit vulnerable individuals. I am in agreement with Kathryn Strayer since the best course of action is to remain up-to-date and educated on maintaining your own information to be secure and private.
Very interesting article.
Personally I place blame on the team Ozzy hired to handle this NFT venture. While creating a new discord may make sense, they should have guaranteed that the previous discord links were removed from ALL public postings that the company had made. They also could have created a simple bot to edit postings previously made which contained the aforementioned original discord link. They should absolutely check all of their content related to this from previous postings. I personally wouldn’t trust investing in Ozzy Batz as the security team seems juvenile and lacking of real-world application; in their eyes this was a way to get rich quick with little effort.
I think everyone’s at fault here at least a bit. Stutter Systems should have gotten rid of the old tweets and made it abundantly clear about the new URL if they did not already. I think discord does need some method where the old links no longer activate when a new server is made for it or the old one is gone. Those that got scammed also should have done more research and not be so willing to give out their crypto information easily. Finally I think the cyber criminals can’t really claim some good faith effort here to reveal a security flaw unless they also at least returned all the money so they are also at fault for exploiting the problem.
This was a very interesting post! I think it’s a great example of how a seemingly innocent mistake can have such damaging consequences. I definitely agree with many of the previous commentators on this post that the team involved should have guaranteed that the previous discord links were removed from all public postings. Especially with such a well-known public figure, and such a large campaign, this step absolutely should not have been overlooked. I believe this is another important example as to why people should be more careful about the personal information they share online.
That was a good read!
I think this is a great example demonstrating why cyber security risks should be taken into account when designing business operations and processes, especially for newly established markets like NFT. In this case, the risk of using discord within the transaction process should have been properly considered and mitigated by Stutter Systems. Additionally, having more security protection for the transaction process could have helped prevent issues like this.
Nice write-up, and interesting topic. I didn’t know you could tamper with a discord link to make it specific, but once you’ve done that, an expired link posted anywhere can easily become a link for your server. Usually, this is a more benign thing more along the lines of free advertising, if you accidentally join a discord server, you can just leave it, but in this case, the server was set up to spoof another server, so users wouldn’t know to leave, and would have a false sense of trust in the server. This made it a lot easier to dupe them into giving them info.
Some of the blame has to go to users. Giving someone all the details required to access your crypto wallet should immediately set off some red flags. I would mostly attribute this blame to discord. Discord links are usually set to expire after a certain time frame. Even for non-security reasons, Discord should have considered making it so expired links can’t be reused, both to avoid scams like this and to ensure people clicking expired links wouldn’t be taken to completely unrelated servers, which is both confusing and annoying. I can’t really blame Stutter Systems, almost everyone who uses discord is under the impression that when your discord link expires, it might as well be a dead link.
Astonishing topic, I personally like cyber security because it protects alot of information around us. They should have observed better ways before getting into contact with discord, either ways , everything has a risk.
Personally, Stutter Systems must be the first one to be blamed on this situation. Also, we, users should be more conscious about scams on social media. I didn’t consider Discord as social media before as I mainly use it for group-studying only. However, your post makes me realize that I need to be more cautious when using Discord.
Interesting topic
A similar thing happened with another NFT project called bored Ape, usually, People sell their NFT Projects OpenSea which is an online marketplace for non-fungible tokens. So each NFT project is verified by OpenSea. Seeing this as an opportunity one hacker created a fake Bored Ape project, took a screenshot from the originally verified one, and used it as a profile picture . The fake project was taken down within hours after getting reported but a guy did end up losing $2000 worth of eth.
This is a very interesting post, a good example on how you should be always aware of what you do online, especially when it involves critical information like passwords for online banking, crypto wallets etc. You should never enter these information without thorough investigation and proper thought to whether it might be a scam.
As to who is at fault, I think both Discord and Stutter Systems should have done a much better job. This was a very easily exploitable attack that does not even need any deep understanding of computer hacking, it is mostly based on social engineering. Still, I do not think that anyone should exploit the trust of people to build wealth. It is deeply immoral to scam people out of their money. So even though everyone involved (also the people submitting their personal information) have done some big mistakes, in my opinion this still never justifies stealing.
This is an excellent example of the significance of double-checking what you’re entering your personal data into. Phishing scams like this abound, and people who aren’t familiar with safeguarding their seed phrases risk losing all of their digital possessions. This is the modern equivalent of failing to read the terms and conditions when giving away seed phrases or signing away access to one’s wallet. There are a number of well-cloned sites out there waiting for naïve people to submit their credentials, and we should be cautious.