Unwinding a fakemint attack against the Tableland community.
Anatomy of a Fakemint
Unwinding a fakemint attack against the Tableland community.
In the early hours of July 21, 2022, the Tableland Discord server was compromised by malicious actors, successfully impersonating moderators on the channel and leading community members to a fake Tableland domain that funneled targeted assets from member ETH wallets.
The perpetrators utilized a fakemint scheme, which lured community members using a pretense of an exclusive, limited mint. Instead, target victims were taken to a malicious website that tricked some of them into granting specific wallet permissions. Once granted, the perpetrators were able to siphon away Tableland Rigs and other NFTs, including Otherside Otherdeeds, Doodles Genesis Boxes, and more. These phishing and fake mint schemes have been on the rise in recent months taking advantage of numerous NFT / web3 projects including: Yuga Labs, Lacoste NFT, OpenSea, Axie Infinity, and others.
These schemes rely on vulnerabilities within communication and social media platforms such as Twitter, Discord, or Telegram, and utilize methods of social engineering (impersonation of project managers / admins) or malicious software downloads to funnel victims into the wallet draining software. Figure 1 gives an overview of these steps below:
Phishing attacks like the one that targeted the Tableland community can be broken down into three phases, which we’ve labeled as:
- Penetration - Compromising the target social channel though a phishing message or malicious bot / download
- Funneling - Advertising to the compromised social channels and its community members
- Execution - Subverting control over phished community member wallets and looting the assets within
The following is a summary of the fakemint hack as it relates to affected Tableland assets. We’ll begin at the execution phase of the fakemint and follow the assets as they traverse the ETH blockchain. In a follow up analysis, we’ll expand the perpetrators’ footprint and provide a broader view of their impact across various NFT communities.
The Tableland Fakemint - Part One
The Execution Phase
After the penetration of Tableland social channels, the perpetrators sent a link to phishing domain called “claim.tableand.xyz” (note the missing second “L” in tableland) and hacked community wallets after luring them with an exclusive mint.
This particular domain was purchased with added privacy to hide their real identity. A review of the DNS records shows this subdomain A record pointing to 220.127.116.11.
During the early phases of the attack, the domain was reported as a phishing site to the registrar for takedown. However, the site remained active for at least several more hours.
Once the lured community members arrived at the domain, they clicked the mint button on the homepage which initiated a wallet draining script tagged to their browser based wallet software. Stolen assets were sent to two ETH wallets:
FakeMint 1: 0x288040312d39ce8fea20d85eb2d50cf31563b716
FakeMint 2: 0xb3b79426b163a53ea0f07ec28f72b77b3d30e8e9
The primary wallet used in collecting stolen assets, FakeMint 1, was initiated by deposit on July 17th, 2022. Three deposits were received, several hours apart from the same address, 0x71d…f8E2. Figure 2 above shows these deposits and their amounts.
This funding address has unique relationships in its chain and related transactions outside this Tableland incident. More information to be shared in a follow up analysis on 0x71d…f8e2 and its larger footprint.
FakeMint 1 began receiving stolen assets via the phishing domain shortly before 3AM EST. Eleven Tableland Rigs were sent to this address, as well as NFTs from other projects. The tokens were of indiscriminate value and held for a short period of time within FakeMint 1 before they were traded on an open marketplace or transferred to the second perpetrator address.
Initiation of Second Address, FakeMint 2
Shortly after FakeMint 1 received its eleventh Tableland RIG, #207, FakeMint 1 transferred ETH to the second perpetrator address, FakeMint 2. This transaction can be seen below in Figure 4.
Within minutes after funding the second address, FakeMint 1 began to transfer non-Tableland assets to FakeMint 2.
Five additional Tableland rigs were sent to FakeMint 2, as well as additional, non-Tableland NFTs from popular web3 organizations. Within twelve hours, FakeMint 2 received 29 total assets via the Tableland fakemint scheme, direct transfers from FakeMint 1, or other direct transfers from various addresses. We are looking deeper into these other address transfers in our analysis of the broader footprint of the perpetrators.
After receiving stolen Tableland assets, FakeMint 1 and FakeMint 2 operators moved quickly to liquidate many of the tokens via direct sales on NFT marketplaces such as LooksRare or through the marketplace aggregator, GemSwap.
- Approximately 1.59 ETH was sent to FakeMint 1 from address 0x71d…f8E2 beginning July 17th, 2022. This was the initial funding of the primary perpetrator address
- The Tableand.xyz domain was created and registered on July 20th, 2022 and a wallet drain script was attached to a subdomain, claim.tableand.xyz shortly after
- July 21st, 2022, the Tableland discord was compromised and victims were directed to the claim.tableand.xyz domain
- Victims clicked on a malicious “Mint” button on the domain, linking their assets to the wallet drain script
- The wallet drain script funneled stolen Tableland NFTs and other assets to FakeMint 1
- FakeMint 2 is funded by FakeMint 1 with 0.20 ETH at 3:00AM EST July 21, 2022
- FakeMint 1 transfers a proportion of stolen NFTs from various projects to FakeMint 2
- FakeMint 2 is the new primary wallet linked to claim.tableand.xyz and begins receiving stolen assets from the draining script
- FakeMint 1 begins liquidating stolen assets across various marketplaces
- FakeMint 2 begins liquidating stolen assets across various marketplaces
These fakemint and phishing schemes have been performed across a variety of NFT projects over the last several months. They target lively and optimistic communities while seizing on this optimism to take advantage of NFT holders. ColleyIntelligence and Loggerhead Group will continue to support the Tableland team and provide assistance where needed.
These attacks are becoming dangerously easy to perform. In the past six months, we have seen them successfully target the most renowned projects and countless smaller projects in the space. Unfortunately, there is very little sign that they are slowing down. If we genuinely believe that web3 holds the potential to transform the Internet and society, we must address this problem head-on.
The individual technologies exploited or taken advantage of in these attacks are relatively few. Take the attack outlined above, where Discord, a fraudulent website, user wallets, and the blockchain were each manipulated to pull of the exploit. We should swiftly address the security weaknesses in each layer of the attack.
In the case of the Discord attacks, it's wildly apparent that this security gap allowing attackers to take over an admin session should not exist. As long as it does, it's evident that Discord isn't serving the web3 community's needs. To configure a new Discord server from scratch to be secure enough for a web3 project is tricky. It requires careful setup and configuration of multiple 3rd party bots to fill the holes exploited by bad actors. Without a secure community tool, we create a dangerous situation for new projects and the people that join their communities.
Similarly, it is disheartening to know that fakemint attacks and attacks like it can easily exploit today's most popular wallets. Almost every web3 onboarding guide you see today leads users to the same setup. It's a fragile setup that may lose those users their digital art, currencies, and potentially a lot more with a single hasty click. While these attacks continue to hit the community, we must band behind better onboarding instructions and ultimately fund and simplify better technologies.
At the smart contract level, standards-compliant NFTs are required to implement the
setApprovalForAll method. Fakemint hacks exploit this method to siphon off an owner's NFTs. Yet today's marketplaces can't work without this function. We should look at more rigorous on-contract approval steps to better protect owners while still allowing them to sell their assets. It's easy to imagine automatic time delays, marketplace allow listing, and other functions added to our standards. We don't know the complete answer to this dilemma yet, but certainly, there is a better way forward.
The total illegal activity on our blockchains is a micro-fraction of everything happening on the blockchain. However, those transactions have an outsized impact on those affected, get significant attention from the press, and are disproportionately swaying the opinion of people outside our community. Together, we can win this. We will improve security across web3 and make this a safe home for all the beautiful things we aim to build.
Alex Robnett of Loggerhead Group, LLC and Colley Intelligence collaborated on this assessment and analysis. Loggerhead Group, LLC is boutique crypto, business and financial risk consultancy. Colley Intelligence is an international corporate investigations and intelligence firm specializing in matters that are complex, sensitive, and high-profile.