Yesterday saw yet another example of a crypto-centric Discord being hacked and users losing NFTs and cryptocurrencies. Is Discord one of the biggest vulnerabilities in crypto currently?
I want to caveat this by saying I am a huge fan of Discord and an early adopter of the platform. Futhermore, Token Gamer uses our Discord server as a hub for our community and I wouldn’t want to change that.
Nevertheless, we have seen a trend in the last year that cannot be ignored: Discord servers being the vehicle for hacks. That is, organizations losing control of their own servers or admins losing access to their accounts. This week, we saw yet another high-profile example.
Yuga Labs Has Discord Hacked: An Estimated 200 ETH Stolen
Our Discord servers were briefly exploited today. The team caught and addressed it quickly. About 200 ETH worth of NFTs appear to have been impacted. We are still investigating, but if you were impacted, email us at firstname.lastname@example.org.
— Bored Ape Yacht Club (@BoredApeYC) June 4, 2022
The story is a familiar one: the admin of a major crypto Discord lost control of their account, however briefly, and scammers used the admin’s role to post a phishing link. Yuga Labs, of Bored Ape Yacht Club fame, is the server in question. Community Manager, Boris Vagner, had his account compromised and it resulted in some heavy losses.
As you can see, scammers target admin accounts on popular blockchain games and NFT projects, gain access, and then post phishing links to fake airdrops, giveaways, and whitelists. The roles act as social proof that whatever is being shared is trustworthy and too few people take the time to read the smart contracts they’re signing. In this instance, an estimated total of 200 ETH worth of NFTs was stolen from unsuspecting clickers of the link.
This is the third time in just 3 months that BAYC has been targetted and their Discord servers have been exploited, and they are far from alone. We are seeing blockchain games suffer similar fates on nearly a weekly basis, regardless of popularity and fame. As you can tell by BAYC Discords being regular victims, no one is impervious to this.
Last year there were several major scams and myriad smaller examples, but few came near Phantom Galaxies’ hack. After an admin lost control of their account, a scammer posted a link to a fake minting event for the highly anticipated game. Every “mint” cost 0.1 ETH which was sent to the scammer’s wallet; 265 ETH was sent, totaling approximately $1.1m at the time. The studio Phantom Galaxies is a subsidiary of omnipresent blockchain gaming organization Animoca Brands, who covered the losses for the game’s community members.
Who Is at Fault in These Hacks?
The fault, of course, lies at the feet of the scammers. But, we can’t stop the unscrupulous from being unethical, greedy, heartless pond scum, and so we have to work out how to combat them.
The kneejerk reaction of many appears to be that Discord is not equipped for web3 and we need something better; I disagree. The links that are sent in these phishing expeditions could be sent anywhere — one of the BAYC hacks was conducted partially via Instagram, for instance. The issue on the Discord end is admins losing control of their accounts. Although no one can be sure, I would bet that 2FA isn’t enabled on these accounts that become compromised.
This isn’t to say Discord is perfect and there has been a lot of discussion in the Token Gamer community about the issues with authorizing applications without having to sign in again, though this is far from exclusive to Discord.
The primary issue is how quickly and carelessly people sign smart contracts in a FOMO-infused desperation to claim something. Although yes, we need to normalize every user taking their time to read smart contracts and to be more careful, it is also the responsibility of all involved in web3 to protect the most vulnerable.
I’m neither a security expert nor a developer so my suggestions are worth naught, but even from a layman’s perspective, there are obvious paths to improving the situation. We could enable pop-ups that summarize in basic English the permissions that are being granted by signing the smart contract, for instance.
Who do you think is most at fault, asides from the vile creatures behind the scams? What would you propose as a solution? Let us know your thoughts.