Ozzy Osbourne and his famously enterprising wife and manager, Sharon, decided to launch a new non-fungible token (NFT) collection called CryptoBatz — but the rollout was clouded. Scammers quickly found they could use an abandoned vanity Discord URL to drain potential buyers’ crypto wallets.
CryptoBatz launched on Jan. 19 with 9,666 blockchain bats – a nod to the iconic image of the senior Black Sabbath singer biting the head off a live bat during a performance back in the 80s.
“CryptoBatz is a chance to own a completely unique piece of collectible art created by one of the most legendary rock artists of our lifetime,” CryptoBatz crowed on its website. The “bats” can be traded or sold as collectibles, and in a twist, have the ability to take a single “bite” from a token from partner NFTs — to create unique “MutantBatz” that share characteristics of both tokens.
The idea was popular, and CryptoBatz organized a sale via a Discord channel. But a tweak to the CryptoBatz vanity URL used by the company behind the project, Sutter Systems, mistakenly left the old URL active, along with old tweets referencing the abandoned URL.
Soon, scammers had set up a dummy Discord server with the old URL that looked legitimate – and started targeting users and draining their crypto-wallets, according to Malwarebytes Labs. Other fake Discord servers followed.
We're proud/excited/nervous to announce our new NFT project with @OzzyOsbourne!
9,666 @CryptoBatzNFT created in LA with Ozzy himself…
— Sutter Systems (@SutterSystems) December 27, 2021
One victim, Tim Silman, told The Verge he was conned out of $300–$400 in Ethereum, but added that others lost much more. Silman told The Verge that the wallet linked to his stolen cryptocurrency had more than $150,000 in it as of Jan. 20.
Sutter Systems, Discord Slow to Respond?
Sutter Systems said that it acted quickly to flag the issue but indicated that Discord dragged its feet in taking down the abused CryptoBatz URL.
“Within minutes of being made aware, Sutter Systems repeatedly reached out to the team at Discord to have the fake server taken down,” Sutter Systems said in a statement provided to Threatpost. “We opened multiple support tickets, elevated to every contact in our network and even put out a Tweet warning people from the official CryptoBatz account.”
⚠️ There are multiple FAKE discord servers pretending to be CryptoBatz, some are very sophisticated – one has even hijacked an old vanity link we were using.
We’re trying to speak to @discord to close down these fake servers.
Please be vigilant – the official link is in our bio.
— CryptoBatz (@CryptoBatzNFT) January 21, 2022
But as The Verge pointed out, even after a warning tweet was sent to CryptoBatz users about the phishing scam, Sutter Systems still had the old tweet with the malicious URL posted on its Twitter feed from Dec. 31. Before it was eventually deleted, the NFT’s fake Discord server had already racked up 1,330 members.
Sutter Systems said Discord took down the NFT’s scam server last Friday. Sutter Systems also said that it will continue to work to reimburse ripped-off users: “Since then, Sutter Systems has been connecting with and reaching out to anybody that was affected by the scam and has already reimbursed the majority of people for what was stolen from them by these scammers.”
Sutter Systems added that it would like more support from Discord in handling this kind of abuse, calling similar incidents “way too common.”
Discord’s spokesperson provided a statement to Threatpost highlighting the company’s continued investment in security.
“Discord takes the safety of all users and communities very seriously, including attacks like this one,” the statement said. “While there are clear controls in place, we are always working to make it harder for these attacks to happen and continue to invest in education and tools to help protect our users. Our Terms of Service prohibit conduct that is fraudulent or illegal or otherwise harmful to Discord or any other user, and our Trust & Safety team takes action when we become aware of this kind of behavior, including banning users and shutting down servers.”
Sutter Systems said it will continue to educate users that no one should ever give out their “seed phrase, – i.e., a series of words that act as a password for crypto wallets.
“We would also like to take this opportunity to make clear that Sutter Systems is solely responsible for the management of the CryptoBatz Discord; neither Ozzy or his team were or are involved in this side of CryptoBatz community management,” the statement said.
Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.