A phishing attack during an NFT drop overnight has netted the hacker millions of dollars in crypto and NFTs that were illicitly transferred from their victims’ wallets.

The attack occurred during the Aurorian gaming drop on the Solana blockchain. The scammer apparently cloned the Aurory Project website at app.aurory.io and reposted it at aurory.app (which is now inactive).

They then promoted the bogus link at the time of the 1am AEST drop in the Aurory Project’s Discord chat server.

When users clicked the link and gave the fake site permission to their Solana wallet, a malicious contract drained everything.

‘The funds were transferred to the Solana wallet address AUrox7sHx1L8mxEPrNqkVjHa16CXQ73UbgZtZTNPNLjx, which at one point last night contained over 10,600 SOL tokens worth a total of over US$1.1 million.

The wallet was set up a day ago, and while most of the Solana tokens had been moved elsewhere by this morning, the wallet still contained 295 NFTs, including Bold Badgers, Degenerate Apes, real Aurorians and SolBears. Some had been sold on NFT marketplace Solanart earlier this morning.

“Really really sad,” wrote one user, who lost a SolRock. “I feel so stupid… was blinded by the excitement to mind… and i didn’t check the link properly. please learn from my mistake – i hope this never happens to anyone here.”

Another victim lost 1,000 SOL – about US$107,000 worth. “I’m completely wrecked,” they wrote in a message to Paxos vice president Mike Dudas, who shared it on Twitter. “I don’t know what I’m going to do, I’m broken.”

Even crypto professionals were fooled. Two analysts with respected crypto-research firm Messari, Chase Devens and someone who tweets under the name “King Maven,” were among the victims.

Devens wrote that he had felt on top of the world after flipping a Degen Ape for a 70 SOL profit (roughly US$7,500). But hours later he lost it in the scam. “I’m a SOL bull but now have nothing to show for it… At the end of the day the responsibility falls on me,” he tweeted.


500x profit for some flippers

Incredibly, the scam wasn’t the only problem with the launch. A bug in the contract meant that users on the correct website got a deep discount on their  Aurorians, minting them for just 1 SOL (US$107), rather than the 5 SOL (US$535) that the team intended.

The 10,000 NFTs sold out in “under three seconds,” the Aurory Project tweeted.

Those who were able to get one were able to make out like bandits. Aurorians were selling this morning for a minimum of 62 SOL (US$6,634) on Solanart, with numerous sales for over 100 SOL.

Aurorian #2717 had changed hands for 500 SOL (US$53,500) and Aurorian #7692 had traded for 850 SOL ($90,950). This one with a crown was on sale for 10,000 SOL (US$1 million).

The NFTs will be used in a yet to be released game.