BearsX Discord Compromised: Fake Mint Steals ~90 ETH from Unwary Investors; Our Transparent Security Policy

First — Let’s break down exactly what we know so far about this incident, so we may discuss how to safely navigate the space without unnecessary worry, and discover what we’re doing on our end, to ensure the security of our entire community.

What Happened?

A new NFT project named “BearX” (@bearx_NFT) was allegedly hijacked yesterday, October 26, 2021. The result? The ones who allegedly took control amassed over 89 ethereum, worth about $360k today.

According to statements from the BearX team, their discord was compromised, which led to a nefarious announcement to its community, that the mint date for the project had been moved up, and directed users to mint the NFTS earlier than expected. When users went to mint, their funds were stolen.

BearX’s Twitter account was also compromised in the attack, strongly suggesting that one or more of the server’s administrators fell victim to a phishing attack which stole the password they were using across both Discord, Twitter, and other platforms. Without 2FA in place on the admin accounts, or reasonable checks and balances, the attacker was able to defraud investors into sending their ethereum to a private wallet.

Here’s What We’re Doing To Stay Safe:

With this in mind, we think it is appropriate to take additional measures to protect our Team’s account. All six public-facing members of the HungryBunz team, unlike the BearsX admin, are technically savvy enough not to fall for a phishing attack of this sort, but we are going to implement more robust policies to assure our community that procedure and policy will protect against human fallibility.

Here is the complete list of security measures we will, or are already taking to keep our community safe:

• Team members must enable two-factor authentication on their discord accounts.
• All of our official social media accounts are managed by different team members, who use unique passwords which we have not shared with one another. Should one team member’s account be compromised, the remaining majority will take swift action to alert members of the issue, and intervene to stop the spread of misinformation.
• Team members will switch their DM settings on discord to “Friends Only” effective immediately. We realize that this means we will not have the ability to read and respond to DMs from community members, but feel that it is in the best interests of the community.
• We have connected with a developer who produces anti-phishing bots for Discord to see about the feasibility of implementing a bot to constantly monitor our server for fraudulent links, and immediately remove any content which seeks to mislead our user base.
• We will continue to keep access to our discord server limited to minimize the ability of bad actors to infiltrate our server.

Here’s What You Can Do:

• Don’t click on links from people you don’t know.
• Fact check everything you see on any project’s discord on it’s official website and twitter account.
• Whenever you mint an NFT, make sure that it says “Contract Interaction,” and not “Sending Ethereum.”
• The NFT space is home to a ton of helpful, friendly people. Try to link up with other NFT collectors who may be able to help you investigate projects before you click that mint button.