Axie infinity Phishing Attack

The world of blockchain-based games was rocked by a major phishing attack targeting users of Axie Infinity. The malicious actors behind the attack used fake websites and social media accounts to deceive users into entering their private keys, resulting in the theft of funds from their wallets.

Axie infinity Phishing Attack

MAY 2022

Multiple large NFT collections and crypto projects, like the play-to-earn game Axie Infinity, have experienced security breaches on their Discord servers. Attackers have exploited these breaches by sharing phishing links disguised as NFT mints.

Among the affected projects are renowned NFT collections such as Moonbirds and PROOF, as well as notable entities like virtual sneakers company RTFKT, payment network Memeland, and social graph protocol CyberConnect. PeckShield, a blockchain security firm, has provided insights into these incidents.

Axie Infinity itself has confirmed the compromise of its Discord server.

"There was a compromise of the MEE6 bot which was installed on the main Axie server," Axie Infinity said. "The attackers used that bot to add permissions to a fake Jiho [Jeff Zirlin, co-founder of Axie] account, which then posted a fake announcement about a mint."

The team noted that they have removed the fake announcements, adding that they would "never do a surprise mint."

Some other projects have also confirmed the attack, speculating that the widely-used MEE6 Discord bot might have been compromised.

"It seems that the MEE6 bot is compromised. Please do not click any links in our discord," Memeland said on Twitter.

However, the MEE6 team has seemingly denied allegations that the bot was compromised. "MEE6 was, is and never will be compromised," a team member has reportedly said on Discord.

According to its website, the MEE6 bot empowers users to effortlessly create commands for granting and revoking roles, as well as sending messages in the current channels or via direct messages.

Meanwhile, Skits, a renowned NFT educator and discord security auditor, has alleged that the attack was executed through a phishing scam. This fraudulent activity compromised admin accounts and cunningly employed certain features of MEE6 to obscure the compromised admin accounts' identities.

"First they will hack an admin account. Secondly they will create a reaction role feature from MEE6 to give an alternate account admin," Skits said. "Using this method, they will be able to send webbook messages while hiding who the compromised administrator account is."