Rock and roll icon Ozzy Osbourne recently announced the release of CryptoBatz, a NFT collection of digital bats for collectors to purchase. However, someone from Osbourne’s team accidentally shared a link to a phishing scam on the NFT’s official Twitter page. The improper link sent dozens of supporters to scam sites created to drain cryptocurrency from unsuspecting wallets.
CryptoBatz is a limited series of 9,666 digital bats. They represent the singer’s macabre music and infamous style. Upon their release, CryptoBatz received lots of legitimate press from sites like Billboard, Rolling Stone, and Business Insider. Who knows what sort of value the bats may have fetched under typical circumstances, but the effort certainly didn’t suffer from lack of press; which makes the resulting PR disaster all the more unfortunate.
How the scam worked
The scam was simple. When CryptoBatz tweaked their Discord (an app for digital communities, similar to a chat room) handle to be easier to read, scammers swooped in and turned the original server link into a phishing site. At that point, two URLs existed: a new, legitimate home for the NFT community, and a fake, phishing site under the original name. As long as customers used the new link, everything would have been fine.
Except one big problem happened: neither CryptoBatz nor Osbourne, himself, deleted their old tweets referencing the original URL. Basically, Osbourne himself was unknowingly directing followers to the bad site, which was controlled by scammers.
One of the CryptoBatz tweets from December received over four thousand retweets and hundreds of replies. So the incorrect site got lots of traction on Twitter. A tech journalism site called The Verge finally alerted the NFT company to their error, prompting a massive apology campaign. But a lot of damage had already been done.
Victims of the scam were invited to link their cryptocurrency wallets by a phishing bot within Discord. The bot told users that they could not participate in the Discord conversation without linking the wallet, which would never happen at a legitimate site.
Osbourne accidentally promoted the scam, but scams are nothing new
Phishing scams have been around since the beginning of the internet. They are illegal and unsavory, yes, but they also require users to take some sort of atypical action in order to exploit them. In other words, a phishing site can’t hurt you unless you voluntarily give it information. Do lots of due diligence and research before entering personal information into any website, ever, regardless of reason.
“I’ve seen at least a dozen people on Twitter voicing this same issue,” one scam victim told The Verge. “If you look at the transactions on Etherscan, others lost a lot more than me.”
Because cryptocurrency exists on the blockchain, all transactions are visible to the public, no matter the legality of the transaction. The Etherium ledger shows that the phishing site received around $41,000 in crypto during the scam. The funds were then directed to a wallet with around $150,000 worth of crypto in assets.
Sutter Systems, developing partner of CryptoBatz with Osbourne, refused any blame for the incident, instead directing blame to Discord.
“Although we feel very sorry for the people that have fallen prey to these scams, we cannot take responsibility for the actions of scammers exploiting Discord — a platform that we have absolutely no control over,” a Sutter employee said. “In our opinion this situation and hundreds of others that have taken place across other projects in the NFT space could have easily been prevented if Discord just had a better response/support/fraud team in place to help big projects like ours.”