In less than 30 minutes, malicious links pretending to be a “land mint” for the popular Azuki NFT project stole more than $750,000 worth of USDC, 11 NFTs, and over 3.9 ETH. But the mint was a fake, and the link took users to a “drainer” contract that tricked them into signing a transaction that swiped assets from their wallets.
Etherscan data provided by Web3 security firm WalletGuard shows that a single user seems to have sent over $750,000 worth of stablecoin USDC to the attacker’s wallet by accident.
Many NFT traders quickly figured out that Azuki’s tweets about the fake “surprise mint” were a sign that the account had been hacked. Within an hour, the official Azuki Twitter account was no longer showing up in Twitter search results, and the malicious tweets had been taken down.
Twitter user’s reaction
Rose, who is in charge of the Azuki Community, quickly confirmed that the Azuki account had been broken into.
The Phantom wallet team has also marked the malicious domains as unsafe, which will warn Phantom wallet users who try to connect to the sites.
Azuki Head of Community and Product Manager Dem said in a Twitter Space an hour after the account was hacked that the Azuki team is in touch with Twitter and trying to get control of the account back. “We’re on top of the situation,” he said
After some time, Rose announced on Twitter that the bad links on the account had been removed; nevertheless, mobile users may still see them.
