Messaging platform Discord servers of multiple large NFT collections and crypto projects, including play-to-earn game Axie Infinity, have been compromised, with attackers publishing phishing links that appear to be NFT mints.
Some other affected projects include popular NFT collections Moonbirds and PROOF, virtual sneakers company RTFKT, payment network Memeland, and social graph protocol CyberConnect, among others, according to blockchain security firm PeckShield.
Axie Infinity confirmed that its Discord server has been compromised.
“There was a compromise of the MEE6 bot which was installed on the main Axie server,” Axie Infinity said. “The attackers used that bot to add permissions to a fake Jiho [Jeff Zirlin, co-founder of Axie] account, which then posted a fake announcement about a mint.”
The team noted that they have removed the fake announcements, adding that they would “never do a surprise mint.”
Some other projects have also confirmed the attack, speculating that the widely-used MEE6 Discord bot might have been compromised.
“It seems that the MEE6 bot is compromised. Please do not click any links in our discord,” Memeland said on Twitter.
However, the MEE6 team has seemingly denied allegations that the bot was compromised. “MEE6 was, is and never will be compromised,” a team member has reportedly said on Discord.
The MEE6 bot enables users to create commands that automatically give and remove roles and send messages in the current channels or in the user’s direct messages, according to its website.
Meanwhile, pseudonymous NFT educator and discord security auditor Skits has claimed that the attack actually involved a phishing scam that compromised admin accounts and used MEE6 features to disguise which admin accounts were compromised.
“First they will hack an admin account. Secondly they will create a reaction role feature from MEE6 to give an alternate account admin,” Skits said. “Using this method, they will be able to send webbook messages while hiding who the compromised administrator account is.”
Skits has also shared a screenshot of what appears to be a dialogue among the attackers, which seems to be “a large group,” where one scammer admits to stealing over a million.