Fractal, a marketplace for game NFTs, was hit by a scam on Tuesday morning. Buyers hoping to get a limited-edition NFT from Fractal were given an unpleasant and costly surprise that morning when it was revealed that a link sent through the project’s official Discord channel was a scam set up to steal crypto.

Users who used the link and connected their crypto wallets to receive an NFT, instead found that their holdings of Solana (SOL) crypto were emptied and transferred to the scammer’s account. An analysis performed by Tim Cotten and posted on Medium, estimated the value of SOL stolen to be around $150K.

Fractal is a startup project from Twitch co-founder Justin Kan. It is specialized in buying and selling NFTs that represent the in-game assets. It was declared at the beginning of this month and quickly amassed more than 100K users through Discord. This made it a target for scammers that have plagued NFT projects since the beginning.

News got to Twitter when a tweet from Kan informed followers that the announcements bot on Fractal’s Discord server had been hacked. Another tweet from Fractal’s Twitter account confirmed that a fraudulent link had been posted through the channel.

The attack took advantage of users hoping to mint NFTs, the term given to buying tokens at the moment when they are first created by a given project, rather than buying them on the secondary market at a later date.

Though the post from the Discord bot was fake, Fractal’s Twitter account had posted a tweet just hours earlier hinting at an upcoming airdrop: a process where a crypto project distributes several tokens, usually to users who are early adopters. Since demand for token mints and airdrops is often very high, the pressure for users to move fast when snap announcements are made creates an attack vector that scammers are all too happy to exploit.

While the cryptography behind cryptocurrencies and NFTs is highly secure, the vast network of websites and applications that comprise the broader crypto ecosystem contains many possible vectors for attack.

A tweet from Fractal’s account suggested that the fraudulent message had been posted to Discord via a Webhook. Webhooks are a feature of web application design that lets an application listen for a message sent to a particular URL and trigger an event in response — for example, posting to a certain Discord channel.

If a Webhook is not secured with additional authentication measures, effectively anyone with the URL can post to the channel. It is not clear what, if any, precautions were taken by the team behind Fractal to prevent this from happening.

In the wake of the hack, a blog post from Fractal announced that victims who had lost money would be fully compensated. While apologizing briefly, the blog post also appeared to put some of the onus for security onto followers of the project, saying:

“If something doesn’t feel right in crypto, please don’t proceed, even if at first it looks legitimate. We must use our best judgment as there’s no ‘undo button’ in crypto.”

Fractal had not responded to a request for comment sent through the company’s official contact form at the time of press.


If you stay vigilant and aware of what scams are, and how to recognize them, you’ll surely keep yourself safe when investing in NFTs.

If you are interested in learning more about NFT License Agreements or require legal assistance in connection with preparing your customized NFT license agreement, feel free to reach out to us and our expert attorneys will contact you in no time!

Note that the information mentioned in this article is not a substitute for obtaining legal advice from an attorney. Each situation is unique, and you should not act or rely on any information contained herein without seeking the advice and the knowledge of an experienced attorney.

Legally Yours,