Axie Infinity’s server bot on Discord was hacked on Monday night (1) by a scammer who, impersonating the official team of the popular play-to-earn game, reported a fake sale of NFTs to steal the cryptocurrencies of the players.

The plan seems to have worked and in the short time that the bot’s message was in the air, the attacker managed to steal 28,2848 Ethereum (ETH) from its victims, the equivalent of R$ 716,000 at the current price of the currency.

According to public data from the blockchain, the scammer’s address was created the night before and all the stolen funds have already been spread to other addresses.

On Twitter, a user who confessed to being responsible for the attack shared the balance of his wallet, thanking the Axie Infinity community for having fallen for his scam.

how the attack happened

The Axie Infinity Team confirmed the veracity of the attack and explained that it was possible because one of its administrators had the account compromised in Discord.

“The attacker tricked a member of our support team into sharing his screen and inspecting his browser (Chrome). This allowed the attacker to gain access to the employee’s Discord account despite two-factor authentication being enabled,” the official statement said.

Within the admin account, the attacker had full access to the game’s official bot settings. A bot is a kind of “robot” that Discord channels set up to publish automated messages.

Official bots have an authentication seal to assure the user that the message is in fact trustworthy and it was probably because of this trust that many ended up falling for the scam.

Message posted by the hacker on Discord from Axie Infinity. (Source: Discord/Reproduction)

With the access cleared, the attacker was able to share Axie Infinity’s fake sale of NFTs across all Discord channels programmed to share the bot’s news. Users who clicked on the message link were directed to the scam page.

In all, 155 players lost money when interacting with the smart contract created by the scammer. However, the Axie Infinity team has already committed to fully reimburse all injured players.

The game reported that it is working with Discord to resolve security holes and that it also plans to guide all team members to prevent their accounts from being compromised in the future.

Who is behind the coup?

As soon as the scam was identified by the Axie Infinity team, the fraudulent website promoting the fake sale of NFTs went down and the landing page started to display a message from the attacker.

In the screenshot shared by the Manila Bulletin, the hacker who identifies himself on Twitter as @racist wrote: “Raced by racist! Boost your security, bunch of larpers”.

Message from the hacker responsible for the attack. (Source: Manila Bulletin/Reproduction)

On Twitter, the hacker also claimed responsibility for another attack that happened the same night, this time to the project behind the NFT collection Jungle Freaks.

On the day of the attack, the community discovered that George Trosley, the artist behind the collection, had produced a series of racist drawings in the 1970s. BRL 658 thousand.