Axie Infinity targeted in another hack, this time via discord bot
Axie Inifinity announced that hackers compromised the MEE6 Bot to add permissions for a fake Jiho account.
Axie Infinity has announced on its Twitter page that there was a compromise of the MEE6 bot on its Discord server. The MEE6 team has denied that there was an attack on its bot.
The MEE6 bot is quite popular on Discord, with many servers using it for automating messages and other functions.ย
Axie Infinity said on May 18 that the attackers compromised the bot and used it to add permissions for a fake Jiho account which they subsequently used to post a phony mint announcement.
1/ There was a compromise of the Mee6 bot which was installed on the main Axie server. The attackers used that bot to add permissions to a fake Jiho account, which then posted a fake announcement about a mint.
— Axie Infinity๐ฆ๐ (@AxieInfinity) May 18, 2022
Fortunately, the developers discovered it quickly. They removed the compromised bot and deleted the messages. According to the gaming platform, itโll never do a surprise mint and usually announce all such events on Twitter, Facebook, Discord, and Substack.
However, it also said that some users might still be able to see the deleted messages until they restart their Discord. At least one user claims to have lost an NFT and Domain due to the hack.
Axie says others suffered same exploit
Axie Infinity stated that the compromise isnโt particular to its server and that many servers with MEE6 Bot have faced similar issues before. Cool Cats, RTFKT, PXN, PROOF/Moonbirds, and Memeland, have all reported a compromise of their admin accounts due to the bot.
4/ This was not unique to Axie and happened to many servers with the Mee6 bot installed.
— Axie Infinity๐ฆ๐ (@AxieInfinity) May 18, 2022
According to those familiar with Discord security, the hackers likely attacked admin accounts first. Then they created a reaction role feature from the MEE6 bot, which the admin role to another account.
By doing this, they could send webbook messages without revealing the compromised administrator account.
MEE6 denies any hackย
MEE6 has denied the claim of a compromise on its Discord server. It said there was no compromise of any NFT community due to its bot.
โWe have not been contacted by any real community owners at the time of this message, nor via Discord or any other Support Communication Channels. We have checked the situations with our engineers, and no data of unusual activities have been spotted,โ the statement reads.
Axie Infinity recently suffered an exploit where hackers stole more than $600 million in its native token AXS. The token has struggled since the exploit, even after the company raised new funds to refund the users.
Usersโ confidence has dropped and continues to go down due to delays and increasing security concerns. AXS is currently trading at $21.6 from an ATH of $164.9 in November 2021.