GameFi project Axie Infinity fell prey to a Discord phishing scam on Wednesday, with scammers posting fake announcements about a surprise mint. It’s the second major security crisis the play-to-earn game handles this year, following the March governance attack that drained 173,600 ETH and 25.5 million USDC from the Ronin bridge.
Axie Infinity was not the only crypto project affected, developers said. The hack allowed scammers to gain access to the channels of RTFKT, Cool Cats, Moonbirds, and Magic Eden, among others. According to a Discord security specialist Jacob H, the attackers may have reached over 2.7 million users.
The attack started with a breach of the MEE6 bot, which allows Discord users to create commands that automatically grant and revoke roles, send messages, and post social media alerts. After gaining access to the channels, the hackers initiated phishing attacks. Earlier this month, the Discord channel of the largest NFT marketplace in the world, OpenSea, was also compromised, but it's unclear if that attack was orchestrated by the same parties.
Pseudonymous NFT collector and security specialist Skits shared the method hackers could be using, which involved a sophisticated mix of social engineering and concealment of the compromised admin account. The attack is ongoing, various Discord security experts have confirmed Wednesday morning.
It appears that MEE6’s verified Twitter account has also been hacked as it posted nothing but a bleak announcement that no hack has occurred.