Hot Hong Kong NFT project Monkey Kingdom loses $1.8 million in hack, exposing security concerns


Popular non-fungible token (NFT) project Monkey Kingdom, founded by entrepreneurs in Hong Kong and promoted by celebrities such as JJ Lin and Steve Aoki, had its group chat hacked on Tuesday (Dec 21), allowing a cyber thief to steal nearly US$1.3 million (S$1.8 million) worth of cryptocurrencies with a phishing link.

A hacker stole an administrator account of the project’s group chat on Discord, a popular online instant messaging service, and posted a phishing link in the group chat on Tuesday, just as the project kicked off a new sale in earnest. Buyers lost more than 7,000 Solana, a popular cryptocurrency, to the scam, which amounts to nearly US$1.3 million.

Phishing is a common form of online fraud often used to steal user data, including login credentials and credit card numbers. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message. It is now being used to breach access to users’ cryptocurrency wallets.

This is the latest in a series of scams seen in the NFT space in recent months as the popularity around NFT reaches fever pitch. Sales volume of NFTs surged to U$10.7 billion in the third quarter of 2021, up more than eightfold from the previous quarter, according to data from market tracker DappRadar.

Launched on Nov 27, Monkey Kingdom, which comprises 2,222 digital portraits of the mythical hero Monkey King dressed in different styles, has quickly become one of the most talked-about NFT projects in Asia, with endorsements from celebrities including Steve Aoki, JJ Lin and Ian Chan of the Hong Kong-based boy band Mirror.

In addressing the hack, the project made a post on Twitter on Tuesday, saying: “At 10:00pm HKT when our presale began, our Announcement channel on Discord was hijacked by a bot named ‘Monkey Kingdom’ while our website was experiencing traffic. A discord webhook got compromised and posted a phishing link to the Announcement channel.”


A Monkey Kingdom buyer, whose Twitter handle was “commenstar”, took to the social media platform to share his loss on Tuesday. “Guys I got drained 650 SOL,” the buyer said, “Never thought it was not a legit mint link in [the] official discord [channel].”

On Wednesday, the project announced on Twitter that it has earmarked 7,056 Solana for a “compensation fund” to help refund buyers who were scammed by the hack.

Monkey Kingdom did not immediately reply to a request for comment by the South China Morning Post on Wednesday.

Hong Kong native Andrew Man, a real estate investment professional by day and an NFT enthusiast by night, said that scams have become common occurrences in the world of NFT as its popularity surges.

“It’s become very common. Almost every week, someone in my WeChat group would say that some NFTs have been stolen,” he said, “A friend of mine lost a plot of land in The Sandbox.” The Sandbox, an NFT-powered video game, sells plots of land in its virtual world as NFT to users.

He said that phishing links are a common ploy by which thieves can steal from cryptocurrency holders. Some phishing links ask users to share the so-called “seed phrases” to their virtual wallets, which can compromise their wallets.

Founded by a team of eight pseudonymous crypto enthusiasts, Monkey Kingdom represents a new breed of NFT start-ups in Hong Kong.

Monkey Kingdom aims to compete with other popular NFT profile picture projects in the West, such as CryptoPunks and Bored Apes Yacht Club, with a focus on Asia. “We believe in the Monkey Kingdom mission, and will make it a point to champion the Asian voice in the Web 3.0 ecosystem — shining a light on our rich cultures, and sharing it with the world,” the project wrote in a tweet on Tuesday.

READ ALSO: 'Merry Christmas': World's first text message sells as NFT for $165k at Paris auction

This article was first published in South China Morning Post.