When a pop culture icon like Ozzy Osbourne announces an NFT collection, you can count on the project receiving publicity. The launch of the “CryptoBatz” collection, a series of 9,666 digital bats, received coverage from Billboard, Rolling Stone, NME, Hypebeast, and Business Insider, among others.
But just two days after the tokens were minted, supporters are coming under fire by a phishing scam that drains cryptocurrencies from their wallets, taking advantage of an incorrect link shared by the project’s official Twitter account.
Like most NFT projects, CryptoBatz uses Discord as a place to organize their community. But previously, the project used a slightly different mnemonic.
When the project switched to the new URL, the scammers installed a fake Discord server on the old one. But neither CryptoBatz nor Ozzy Osbourne took the precaution of removing tweets that referenced the old URL, meaning Osbourne’s own old tweets were left directing followers to a server now controlled by scammers.
A CryptoBatz tweet, posted on December 31, 2021, received over 4,000 retweets and hundreds of replies. The tweet was only deleted on January 21 after The Verge contacted CryptoBatz.
Upon clicking the scam link, the invite panel for the fake Discord displayed the total number of members as 1330, an indication of the number of people who might have been fooled by the scam.
Inside the server, a bot spoofing community management service, Collab Land, asked users to verify their crypto assets to participate in the server, but directed users to a phishing site where they were asked to connect their crypto wallets. cryptocurrencies.
A representative for Collab Land declined to comment.
Tim Silman, a non-profit employee, is one person who lost money through the scam. Silman estimates that around $300-400 worth of ETH was depleted from his wallet after he visited the fake Discord server via a link posted on the CryptoBatz website.
“I’ve seen at least a dozen people on Twitter expressing this very issue,” Silman told The Verge. “If you look at the trades on Etherscan, others lost a lot more than I did.”
An Ethereum wallet address that Silman indicated was linked to scammers who received a series of incoming transactions totaling 14.6 ETH ($40,895) on January 20 and sent them to a wallet containing more than 150,000 Dollars.
The project had been slow to remove bad links, even when reported, Silman said.
“I tagged them several times in various tweets, just like other people, but got no response,” he said. “This is an expensive lesson, I suppose.”
Despite the fact that the fake link remained present in a prominent tweet, the CryptoBatz project continued to advertise the public minting of tokens. As of January 21, CryptoBatz NFTs were resold on OpenSea for around 1.8 ETH ($5,046).
When asked if the project should accept responsibility for leaving the above link online, Sutter Systems, developers of the CryptoBatz NFT, directly blamed Discord for the scam. In an emailed statement to The Verge, Sutter Systems co-founder “Jepeggi” stressed that the compromise was only possible due to the Discord scam instance’s easy setup and maintenance.
“While we feel very sorry for the people who have fallen victim to these scams, we cannot take responsibility for the actions of scammers who exploit Discord, a platform over which we have absolutely no control,” Jepeggi said. “In our opinion, this situation and hundreds of others that have taken place on other projects in the NFT space could have been easily avoided if Discord had a better response/support/fraud team to help large projects like ours.”
Discord said he was aware of the incident and in contact with the affected team.
“Our Trust and Safety team is in contact with the server owners and is investigating the incident,” said Peter Day, Discord’s senior manager of corporate communications. “Our team takes action when we become aware of attacks like this, including banning users and shutting down servers.”