Anatomy of a Theft: The Unchained NFT Heist
By Kathy Chu, TruthDAO
The hack at Unchained, a blockchain gaming project, was triggered by the crudest, and in many ways simplest, of online weapons: a phishing link.
One of the people who took the bait was Yan — he goes by "J2B” online — because the link appeared in the project’s official Discord message server. Yan is known as a "whale" in the crypto world because he owns so many unique digital assets, or NFTs, more than 200. As a systems administrator in Montreal, he often tells others the importance of not clicking on unknown links.
Dozens of other people clicked the same link in late May. Collectively, the hacker drained 109 wallets of 115 Solana and 500 NFTs. Estimated value on the day of the theft: $25,000 to $30,000.
The Unchained hack, while of modest value, is part of an explosion in security breaches across the crypto universe. NFT projects have become a popular target for hackers, with nearly $63 million lost so far in 2022, on pace to match the record $125 million lost in full-year 2021, according to blockchain security firm Slowmist Zone. Bored Ape Yacht Club, a high-profile NFT project, said earlier this month that a hacker had infiltrated its Discord server and stolen $360,000 of NFTs from its community.
The world of decentralized finance is also full of hacks, with incidents occurring once every 72 hours last year, according to Elliptic, a blockchain analysis firm. And 2022, by all appearances, is shaping up to be another banner year. In the first three months alone, crypto investors lost more than $1.22 billion to hackers, security firm Immunefi estimates -- an eight-fold increase from the $154 million lost in the first quarter last year.
Some heists run well into the nine figures - including Ronin gaming network's $614 million loss in March. In addition to the financial pain, hacks like this do damage to investor confidence. Hacks are “limiting the potential of DeFi and metaverse technologies to become more mainstream,” says Arda Akartuna, a crypto threat analyst at Elliptic.
Many companies don't talk about hack incidents, in part for security reasons and because they don't want to scare off investors.
“JPorta," the co-founder of the Unchained project — his real name is only known to a few people in the crypto world — and a half dozen others knowledgeable about the Unchained project hack agreed to talk with TruthDAO. Their story provides a rare look into how a hacker compromised a Discord server and wreaked havoc on a crypto community. What’s striking about the Unchained hack is that the victims fought back — and won.
‘Swat Was Hacked’
It was May 23. Minting day for Unchained. The venture's security chief, SWATGoblin — who doesn’t disclose his real identity — thought things were going smoothly. So did JPorta.
Shortly after 1 pm, SWATGoblin sent a message to Unchained’s other moderators and founders, including JPorta. “Hey y'all, I gotta start getting ready for work. I'll monitor as much as I can. Things are looking good, we've gotten rid of a ton of bots.”
Within moments of stepping away from his computer, a hacker took over SWATGoblin’s account, locked out the other moderators, and directed Discord users to mint the NFT through a fake link rather than going through the marketplace Magic Eden.
Unchained’s founders believe the attacker was reading the group’s confidential messages the day NFT sales began. So the attacker saw the opportunity to strike when SWATGoblin stepped away. The hacker appears to have written the code to take over the Discord server months before and used it in multiple hacks, according to developers who analyzed the heist.
One tell-tale sign of the hack was the domain. The Unchained project used ".io," but the fake link sent out on the Discord ended in “.org” — an immediate red flag if one was looking closely. Unfortunately, Yan and many others didn't that day. This, despite the fact that SWATGoblin had posted a security message to Unchained’s Discord community warning everybody to be careful:
"Attention!! We are not doing a stealth mint. We will not surprise you with a link.” According to SWATGoblin, this message was posted as often as once every 15 minutes or so in the days leading up to the minting, just to make sure members were on alert.
News of the hack spread quickly.
“SWAT was hacked,” team members typed furiously to each other in Discord messages.
A flurry of urgent private messages came in from Unchained community members whose wallets had been drained. JPorta said his heart sank. Six months of planning for this launch down the drain, he thought.
Unchained’s other co-founder, AndyRew, was outside when the hack happened, his laptop open on a glass table. AndyRew, JPorta and the project’s other leaders immediately huddled on the phone to figure out what to do next.
Operation ‘Scam A Scammer’
For the next few hours, the moderators worked furiously. SWATGoblin logged into his Discord account, hoping to catch the hacker unaware. He quickly transferred control of the Unchained Discord servers to another moderator — effectively kicking the hacker out of the system — and changed his password. Then he began using a new name online: Undercover Narc.
The team planned an emergency session online that evening to share details of the hack with victims and their community.
Yan, the IT administrator from Montreal, lost the most. The hacker drained his digital wallet of 25 NFTs from the World of Solana, a collection of images of semi-realistic cartoon heroines. World of Solana was one of 30 NFT projects that had considered partnering with Unchained, allowing its NFT characters to be part of a fighting game that could be played by projects across different blockchains.
Yan messaged the World of Solana founder, Quanty, about what had happened. Quanty sprung into action, using a burner wallet — basically a temporary digital wallet — to verify the link was malicious.
Quanty then reached out to Cyber Frogs, which offers development services to the World of Solana. Quanty asked for the royalties on the stolen NFTs to be increased so the hacker would get nothing if he tried to sell them.
Royalties are basically what creators of the NFT — in this case, World of Solana — receive from the sale of the digital asset. Normally, the creator and the marketplace get a small cut of any sale. The seller of the NFT pockets the rest. By raising the royalties on the stolen NFTs to 98% from 5%, Quanty and Cyber Frogs effectively erased any profit the hacker would get from the NFTs.
The plan was far from foolproof. The hacker could decide to hold on to the stolen NFTs indefinitely. Also, if the hacker realized they had changed the royalties, he could take back any stolen items he’d listed on NFT marketplaces. This would make the NFTs almost impossible to recover.
But if they could pull off the ruse, they also might swindle the thief. “Operation Scam A Scammer” was born.
Then the waiting began. World of Solana's Quanty enlisted half a dozen members from the tight-knit World of Solana community to keep an eye out for the stolen NFTs. He warned them not to buy any until all 25 NFTs were listed for sale, to minimize the chance of the hacker discovering the royalties had been changed.
‘Hackers get rekt’
That evening, more than 250 people listened as Unchained talked about the hack in a Twitter Spaces forum. The team was emotional and apologetic, their voices breaking at times. The hacker had likely gotten access to Unchained’s Discord server through a link that had been sent to the project’s security chief, SWATGoblin, the team explained.
SWATGoblin believes the scammer was a person who asked him for advice about a separate project in the days before the launch. The scammer sent SWATGoblin a Discord link to check out. Once SWATGoblin clicked on the link and verified that he was not a bot, the scammer gained access to Unchained’s server.
Unchained’s team promised to compensate each of the 109 wallets affected for at least part of their losses. They also planned to keep minting the Unchained NFT for anyone who still wanted it. “He won the battle, he didn’t win the war,” JPorta said. “We’re not done.”
For the next 24 hours, the Unchained team tracked the wallets that had been scammed so they could compensate them. They also beefed up security in the Discord group by installing a security bot that would it harder for another hacker to strike.
Two days after the hack, they finally got some good news: The hacker had listed all 25 NFTs stolen from Yan. The World of Solana had recovered its NFTs.
The fast turn soon turned into an online celebration. "OPERATION SCAM A SCAMMER SUCCESSFUL,” Quanty wrote to the World of Solana community on its Discord.
“Mad respect,” one person posted to Quanty.
“OMG!!” Yan posted to the group, with a snapshot of his wallet showing his 25 World of Solana NFTs were back in their rightful place.
And the good news kept coming. On the same day the NFTs were recovered, May 25th, Unchained’s collection of 4,444 NFTs also sold out.
Unchained posted a message to its Twitter feed:
“Hackers get rekt
Our community strong as fck
Now the fun begins, lets (sic) get to work.”