Phishing frenzy: School kids are stealing millions of dollars of NFTs — to buy Roblox skins

Sometimes it’s good to be suspicious of journalists.

Take the case of Orbiter Finance. Last month, a supposed journalist claiming to be from a crypto news site contacted one of its Discord moderators and asked them to fill in a form. The moderator didn’t realize this simple act would hand over control of their Discord server.

Once inside, the perpetrator froze other admins’ control over the server and restricted the ability for community members to send messages. They posted an announcement for a fake airdrop, sending everyone to a phishing website designed to steal their NFTs. It worked. In total, they stole a million dollars’ worth of NFTs and tokens in a flash, while the team could only watch.

“We were so concerned,” said Gwen, a business development manager at Orbiter Finance, who recounted what had happened in an interview. “If we cause any damage to [our community members], we will just lose the trust from them.”

The Orbiter attack is just one recent example in a long string of exploits involving NFT drainers and compromised Discord servers or Twitter accounts. Data collected by NFT analyst and security expert known as OKHotshot shows that at least 900 Discord servers have been compromised since December 2021 for carrying out phishing attacks — with a notable uptrend in the last three months.

Such attacks have impacted at least 32,000 victim wallets over the last nine months, according to data gathered by PeckShield and multiple dashboards on Dune Analytics by Scam Sniffer and others. In total, attackers have stolen NFTs and tokens worth a combined $73 million. 

The faces behind the attacks

These schemes often involve wheeling and dealing in an emerging black market for drainer code. 

The orchestrators of the phishing attacks first head to Telegram and Discord, where they can find channels run by the developers of numerous different kinds of drainer. They contact the developer and purchase the drainer, which takes the form of a set of code that can be integrated into websites, while typically agreeing to give 20-30% of the proceeds to the developer. Then they will use their own methods — one being the fake news site example described above — to compromise a Discord server or Twitter account and advertise a fake website containing the NFT drainer code to steal NFTs and anything they can get their hands on. 

That is, when they’re not busy with homework.

“95% of them are kids below the age of 18 and they’re still in high school,” said a pseudonymous security researcher known as Plum, who works on the trust and safety team at NFT marketplace OpenSea, adding that this is why the number of attacks tends to increase during the Summer holidays.

“I personally have talked to quite a few of them and know they’re still in school,” said Plum. “I’ve seen pictures and videos of various of them from their schools. They talk about their teachers, how they’re failing their classes or how they need to do homework.”

These kids seem to make little effort to hide their newfound riches.

“They'll buy a laptop, some phones, shoes and spend vast amounts of money on Roblox. They all play Roblox for the most part. So they'll buy the coolest gear for their Roblox avatar, video games, skins and things like that,” said Plum.

Plum added that they often also buy gift cards with crypto on gift card marketplace Bitrefill, spend thousands of dollars on Uber Eats, buy designer clothes, pay people to do their homework for them and even buy cars that they can’t drive yet. And they also gamble. 

“They’ll bet $40,000 a pop on an online poker game and stream it to all the other hitters in a Discord call. Everyone will watch this person play this poker game,” they said.

The exploiters try to cover their tracks by paying people in lower income countries to use their personal details to register on exchanges, obfuscating the trail when they cash out, said Plum. But they said at least some of them should have been caught by now because they leave behind ample evidence of their actions — if it wasn’t for a lack of interest from law enforcement in catching them. 

As for why perpetrators think they can get away with such attacks, Plum speculated that, “they feel invincible, they have God mode — that no-one can touch them.”

While countries like North Korea are also involved in phishing attacks targeting NFTs, they typically use their own drainers and are less involved with drainers for sale, said Plum. As for those who create the NFT drainers — who in some cases carry out attacks using their own technology — they’re a little more elusive, but their pseudonymous profiles nevertheless leave a distinct trail.

The rise of NFT drainers

One of the earliest NFT drainers, Monkey, set up their Telegram channel in August. But it wasn’t until October when it started really getting active. Over the next few months, their technology was used to steal 2,200 NFTs according to PeckShield, worth $9.3 million, and an extra $7 million in tokens.

On February 28, Monkey decided to hang up their hat. In a farewell message, its developer said, “all young cyber criminals should not lose themselves in the pursuit of easy money.” They told their clientele to use a rival drainer known as Venom.

Venom was a worthy competitor. It was another of the earliest drainers, and over time it was used to steal more than 2,000 NFTs from over 15,000 victims. The drainer’s customers used 530 phishing sites to carry out attacks targeting crypto projects like Arbitrum, Circle and Blur — reaping a total of $29 million across NFTs, ether and various tokens.

While Venom was one of the first NFT drainers to go multichain, they didn’t pull it off very well, security experts noted. But theirs was the first drainer to be used to steal NFTs on NFT marketplace Blur.

Other competitors included Inferno, which was used to steal $9.5 million from 11,000 victims and Pussy, which was used to steal $14 million from 3,000 victims. Customers of Angel, which originated from a Russian hacking forum, used it to steal $1 million from over 500 victims in the form of NFTs and various tokens — most recently compromising crypto wallet Zerion's Twitter account.

And then came Pink.

The curious case of Pink

On October 25, Fantasy, a security expert and co-founder of crypto security firm BlockMage, was digging in the Discord Server for Wallet Guard, a crypto product designed to protect against phishing attacks. It was here that they came across another account called BlockDev, who claimed to be a security researcher and ran a Twitter account called Chainthreats where they would post security information about exploits.

While Fantasy and BlockDev had some disagreements when they first met, over time, they started speaking on a regular basis. Then BlockDev came up with an idea: to exploit the crypto hot wallet owned by the developer of the Venom drainer — using its own API against it. BlockDev explained how they were planning to do it and then carried out the attack, stealing $14,000 of cryptocurrency from Venom’s developer. Fantasy watched the whole thing happen and noted down the wallet that BlockDev used to carry out the attack.

At the start of the year, a new NFT drainer broke onto the scene called Pink. This one seemed more advanced than its predecessors. It quickly became popular and was used to steal NFTs in a flurry of attacks. Only when Fantasy looked into it, they traced the source of the funds used to set up the drainer back to BlockDev’s wallet — suggesting they were the same person.

“I looked back at the original funding source as well as the general activity between the two wallets — they share similar activity. I confronted him and he wasn’t too happy about it,” said Fantasy. “He was disappointed in me as a person. He thought he could trust me, which I thought was very amusing.”

At this point the supposed researcher, now known as Pink, deleted their Discord and Twitter accounts and cut ties with security researchers like Fantasy and Plum.

Pink drainer went on to be used for larger exploits throughout May and June, including on the Discords of Orbiter Finance, LiFi, Flare and Evmos, as well as Steve Aoki’s Twitter account and others.

The attackers again employed the tactic of posing as journalists reaching out to conduct interviews and often told Discord moderators, or whoever their target was, to bookmark a certain webpage. According to Scam Sniffer, this key step is how they end up infiltrating servers. 

Plum and Fantasy noted that the Pink drainer manages to evade protections, such as wallet extensions that are designed to prevent such thefts. They said Pink has been finding success in bypassing wallet extensions Pocket Universe and Wallet Guard. They also implemented a way to steal tokens and NFTs at the same time on Blur, which they described as a significant development.

As for what can be done to protect against such attacks, Plum said that security-focused wallet extensions are still good for protecting wallets in general. They noted that it’s good practice to use multiple wallets and to store large amounts of funds in cold wallets, and added that it’s also good to revoke approvals — when a wallet gives the blockchain permission to interact with a certain token — if the token in question isn’t being actively used.

“Don't set yourself up so that one mistake — if you're distracted by your kids screaming — it causes you to lose everything you have,” Plum said.