August 31, 2021
Part 1 of a Mini Security Series with TRM
The Aurory Project held its first NFT mint today with over 55,000 customers waiting in line. According to the Aurory team, all 10,000 NFTs were minted in less than 3 seconds. What we learned today in real time is the FOMO for NFT mints is real. A choice is sometimes made between minimal security standards or a locked down wallet that might delay chances to purchase an NFT. Today, we saw first hand the multitudes of victims come forward on social media that had their SOL, literally swept from their wallets. TRM is actively tracing the attackers flows on SOL and ETH. We will provide leads to law enforcement and industry partners as they become available.
So what happened?
A Twitter user, and developer working on a Solana project, @hoaktrades posted a long thread almost immediately after the Aurory NFT mint was complete. Hoaktrades identified a phishing website that went live right before the true NFT mint. TRM captured the screenshot of the phishing website before it was taken down. To the naked eye, the phishing website looks almost identical to the true Aurory NFT Summer Sales site. When analyzing the appearance after the fact, it is clear that the font and format of the website is off from the original Aurory Summer Sales site.
The details of the phishing site are very easy to overlook during the hype of an NFT launch. The attacker was also very clever. The url link was spelled exactly the same as the legit project, except for a different domain link (aurory.app vs app.aurory.io). This was not a case where the attacker misspelled the domain. The attacker also had a valid security certificate which also may have given the appearance of legitimacy to the site.
What can you do to protect your NFT investment?
- Create a new burner wallet with only the estimated amount required for NFTs purchase + fees.
- Refrain from keeping your investment portfolio in the same wallet you plan to purchase an NFT from.
- Remove auto-approve on your wallet and consider implementing the auto-lock timer.
- After the NFT purchase, revoke access to all trusted apps.
- Consider utilizing a hardware key for enhanced security.
- Do not search google or other websites for the NFT drop link.
- Only used verified accounts or domains provided directly from the NFT company.
- Do not click any links in Discord chats or download any files that claim affiliation with the NFT drop team.
- Never side channel in a separate Discord server or encrypted chat app at the request of someone claiming to be customer support or responding to social media threads.
- Never show your secret recovery phrase to anyone offering to provide assistance.
This is the first edition of a two part Mini Security Series from TRM on Best Practices to Secure Your Crypto. The next series will include best practices from TRM's Blockchain Intelligence Team, whom previously worked at leading cryptocurrency exchanges and federal/international law enforcement.
With TRM's multi-asset coverage across Solana and Ethereum, our clients can trace the flow of attacker funds in one central location as swaps are executed. TRM has notified our clients of the attack and how it may impact their networks. For further information on how these updates may affect your platform as a TRM partner, or for more information about TRM, please contact us directly via firstname.lastname@example.org.