Ironically, and rather sinisterly, April Fools Day 2022 has (already) seen nine NFT collections have their Discord servers hacked. The list of victims includes BAYC, Doodles, Dreadfulz, Zooverse, Nyoki, Freaky Labs, Kaiju Kingz, Voyager: Unknown, and Shamanzs NFT.

Such security compromises stand out not only because of the sheer amount of them (as typically 2-3 Discord server scandals are reported every day), but also because of the nature in which they occurred. This is because the majority of the other 140 recorded Discord security compromises to happen this year occurred through wrong-doers gaining admin access through ‘legitimate’ means (such as through social engineering and moderator DMs) - making them 'scams' rather than 'hacks'.

Today is different, as the collections listed above have been breached through a verified Discord bot named ‘Ticket Tool’ which, ironically, is primarily used to stop the type of ‘DM scams’ described above. The ‘hacks’ occurred because Ticket Tool’s latest version contained a bug which allowed $add and $remove commands to bypass permissions and grant normal users the ability to assign web hooks to other users.

As you’d expect from scam artists, these web hooks were then leveraged to make scam announcements in chats, leading to community collectors to unknowingly visit fake minting sites - which is where the thefts of crypto wallets then took place.

In reaction to this, Ticket Tool has stated that it is reverting to its previous, uncompromised version, while also regenerating their Discord token for extra measure.

With NFT Discord hacks seemingly becoming more and more prevalent (which may be a function of the rapid growth and interest in NFTs), the mass hackathon of April Fools Day 2022 should act as a glaring reminder to ensure correct permissions are always set within your Discord servers.