Two Web3 security firms have issued reports focused on the recent scourge of hacks targeting NFT projects, likely by a linked group of hackers using compromised Discord server administrator accounts.

According to a recent analysis by TRM Labs, cyber attacks against NFT collections have steadily risen in 2022, costing the NFT community over $22 million in May alone. NFTs are blockchain-based tokens that show ownership over digital or physical assets.

In the report, TRM Labs—which specializes in digital asset compliance and risk management—says cyberattacks linked to NFT minting scams deployed through compromised Discord accounts subsequently increased by 55% in June 2022 compared to the previous month.

"Since 2022, we've seen these compromises happening at scale, specifically on Discord," TRM Labs investigator Monika Laird told Decrypt in an interview.


TRM Labs says it has received over 100 reports of Discord channel hacks in the past two months through its Chainabuse reporting platform. Laird says that the attacks happen weekly and often target ERC-721 tokens, which is a token standard on the Ethereum blockchain for non-fungible tokens.

On the on-chain side, she said the relationship between the common consolidation points (exchanges, mixers) and wallets suggests that the same actors run the bulk of these attacks.


Yuga Labs, the company behind the NFT status symbol Bored Apes Yacht Club, said on Twitter last week: "Our security team has been tracking a persistent threat group that targets the NFT community. We believe that they may soon be launching a coordinated attack targeting multiple communities via compromised social media accounts. Please be vigilant and stay safe."

TRM Labs says on-chain data suggest many of the Discord compromises are linked to the same hacker that targeted the Bored Ape Yacht Club in June. According to the firm, other targeted projects include Bubbleworld, Parallel, Lacoste, Tasties, Anata, and more.

As Laird explained, there have been over 150 compromises since May targeting an admin role within a larger NFT project channel. Once the hackers control the admin account, they send out links to promotional giveaways and "exclusive" NFTs mints pushing people to jump into these malicious websites by creating a false sense of urgency.

"It isn't necessarily that Discord in and of itself has a weakness, but it just makes it a very target-rich environment," says Chris Janczewski, head of global investigations at TRM Labs. "If you're looking for people that own NFTs, you go to a place where they're all hanging out, and you have a point to be able to make [contact] with them."

While cyberattacks targeting Discord have been successful, Laird pointed out that hackers also compromised Twitter and Instagram accounts in recent months.

TRM Labs says that the rate at which the attacks are happening, and the fact that they occur across multiple blockchains, suggests that they could be separate attacks by rival cyber criminals running scams at the same time using tools provided as a "Scam-as-a-Service," turn-key, pay-as-you-go services to launch attacks.

In a separate report detailing broader cyberattacks previewed by Decrypt, Blockchain security firm Halborn has also seen an increase in threats targeting crypto, pointing to the North Korean Lazarus Group, which the U.S. Treasury Department claims orchestrated the $622 million hack of the Axie Infinity Ronin Network.


While TRM Labs’ report did not specify where the attacks are coming from, the separate report by Halborn sees the threat originating from within China.

“Analysis indicates that Chinese actors aiming for high-value individuals in crypto sector,” Alpcan Onaran, Halborn offensive security engineer, told Decrypt via Telegram. “We are expecting a logarithmic increase in advanced persistent attack (APT) activity and also expect to see different adversaries targeting Web 3.0  companies and individuals.”

Onaran says that in Web3, security should be considered in all aspects, both technically and non-technically, to defend against these new threats.

Onaran says that in Web3, security should be considered in all aspects, both technically and non-technically, to defend against these new threats.

"There's a saying that there's no such thing as new crimes [or] new scams; there are the old ones repackaged," Janczewski says. "So it makes perfect sense that all the kind of spear phishing, the FOMO, the getting people to do things irrationally very quickly, has pivoted into the new space, which is NFTs."

Editor's note: this article was updated to further clarify that the TPM Labs and Halborn reports are separate and distinct.

Daily Debrief Newsletter

Start every day with the top news stories right now, plus original features, a podcast, videos and more.