A Wolf in Ape’s Clothing: How Billions of Dollars' Were Stolen from Web3 Communities
And what we're doing to fix it
March 16, 2023
August 16, 2022
0 min read
Discord hacks are on the rise. In 2022, billions of dollars’ worth of NFTs and cryptocurrency have been stolen across dozens of communities.
Over a 30 day period in June, Bored Ape Yacht Club, OtherSide, Known Origin and more than 103 NFT Discord communities were compromised. According to TRM Labs, more than $22 million USD were hijacked. Discord hacks have resulted in financial loss to the victims and growing distrust within our communities.
This affects us all.
Discord hacks inhibit the growth of Web3. To date, less than 4% of the world’s population owns a crypto wallet. In comparison to the original World Wide Web, 4% of adoption means today is the 1999 of Web1. Web3 is still a baby.
If we are to grow the Web3 movement — to realize our mission to upgrade the Internet, improve coordination, and make real world change — we need to build our communities on an open, secure platform.
At Console, we’re building a Web3 alternative to Discord. Imagine a chat platform: decentralized and open-source, with myriad design and security upgrades. Security is our top priority for Console. To this end, we partnered with IOmergent, a cybersecurity firm out of Washington D.C, to study the past year of Discord hacks..
In this post, I break down the four most common Discord hacks, and what we’ve learned so we can improve Console. By the end of this article, you’ll understand what you can do to improve your community’s security.
Identity Compromise is at the Root of Nearly All Discord Hacks
Phishing attacks are the leading hack on Discord. But before the phishing hacks can take place the hacker needs to complete another hack: identity compromise.
Discord breaches share a common taxonomy:
- Identity compromise — Hacker gains control of a privileged account via mechanisms such as phishing, password brute force, malware, etc.
- Fake announcement — Hacker emulates the original account’s style, urgently encouraging the audience to click on a malicious URLs.
- Funds stolen — Victims, conditioned to move quickly and/or having FOMO, click the link, connecting their crypto wallets to the hacker with permission to take all actions on the wallet. The hacker leverages permissions granted by users to steal the assets.
In March 2022, a hacker used the credential compromise hack to steal funds from the Mutant Ape Kennel Club Discord. Once identity is hacked, it’s easy to drop a link and phish members. From the user’s perspective it appears that they are interacting with the group’s admin — undoubtedly a wolf in ape’s clothing.
Discord relies on bots for Web3 identity verification. Bots are a weakness in securing identity on Discord. Hackers have shown that if they can compromise credentials of the bot, then they can override identity in the Discord server.
One big reason bots are hacked is that they increase the attack surface by which hackers can compromise a community. With bot verification hackers have two additional points of failure through which to attack. Web3 communities have additional security weaknesses from which they must defend themselves.
Four Most Common Web3 Discord Hacks
1. Permissions are Overly Broad
Bots and webhooks result in more surface area for attack. In the case of the Grape Protocol, admin credentials were hacked, used to install a malicious webhook called Spidey Bot. The Grape hack involved an administrator from a 3rd party, who had nothing to do with the project itself other than managing the bot installation.
Takeaway: Discord bots and webhooks may provide value to the community, but it's their overly broad permissions that make them dangerous. The least privilege principle should be applied: only the minimum permissions required for an action should be allowed.
2. A Bot’s Code is Compromised
The Ticket Tool bot is installed on over 1.7 million Discord servers and 310 million users. Ticket tool is used by Discord servers to augment channels into a Zendesk-like chat support system. In April 2022, the Ticket Tool bot was exploited due to a flawed update in the bot’s codebase.
Takeaway: When a bot’s code is compromised, Discord communities are at risk.
3. An Employee’s Password is Compromised
MEE6 is Discord’s most popular bot, reaching over 18 million Discord Servers, and hundreds of millions of users. MEE6 provides additional features to Discord like roles and improved moderation. In May 2022, a hacker stole credentials at MEE6.
Takeaway: If an employee's password is compromised, your Discord community is left vulnerable to a Web3 hack.
4. A Web Wallet is Compromised
You can see two websites above: one is the official site, the other is a knock-off. When I go to connect my wallet, I can see MetaMask pop up. But one of them is legit, and the other is trying to steal my password. Can you spot the differences?
Spotting a URL in your MetaMask means, “STOP! You’re about to be hacked!” The example on the right is using a JavaScript pop-up to fake a MetaMask login and you can tell because you can see the https address crypto-chicks.app.
Admittedly, this type of hack got me in 2017. I don’t even remember it happening. Fast-forward to a year later, the next time I added fresh ETH to that account, MetaMask immediately sent it out to another wallet.
Takeaway: If you’re a Discord admin and your web wallet gets hacked, your community is also in danger.
How to protect yourself and your community from Discord hacks:
- Use fewer bots: Community admins should consider using fewer bots. With each new bot, your community opens up a larger surface area for attacks.
- Don’t click on minting links in Discord: Minting abstinence (it’s not for everyone). But if you do, hover over a link and look in the bottom left corner of your browser to verify the link is pointing to where it purports to go.
- Practice safe minting: Advertise the minting process to your community in advance. Provide a standard announcement process which requires a well protected admin account to make announcements on new NFTs and Minting. Advertise the minting process to your community in advance.
- Perform link validation: Create a multi-party acceptance process for approving links. If an admin posts a mint, consider creating a culture whereby two other admins also have to type “verified” below the link (whether on Twitter or Discord) to provide an extra layer of validation.
- Enforce the least privilege principle: Organizational security, is just as important as technical security. If you’re an admin, make sure every user in your community only has the minimum privileges necessary in order to fulfill their role.
- Enable two-factor authentication (2FA/MFA): Ensure phishing resistant MFA (FIDO Hardware Key) is enabled for admin accounts (email, file storage, password managers, etc). If not possible, enable two-factor authentication (2FA/MFA) using an authenticator app (Google Authenticator or Authy) instead of SMS or push notifications.
- Don’t keep large amounts of assets in your web wallet: The less you have exposed to Discord, the less you can lose.
- Never share your seed phrase: Don’t keep your seed phase on your desktop. Don’t keep it in Evernote. Don’t ever “copy/paste” your seed phrase, as it’s possible for other apps to read from your clipboard. Even though the 90s are back, refrain from tattooing it on your lower back.
- Be aware of what you are signing: Read your MetaMask carefully before you execute transactions. If you’re building apps on Bitcoin with Stacks, the good news is that Hiro Wallet provides native alerts signaling “this transaction is not secure.
Phishing causes damage to Web3 communities, and Discord is a major culprit in facilitating these schemes. When designing Console, we knew that if we could protect users from the credential compromise attack, we could protect them from the #1 hack plaguing Discord.
Console’s design protects you from credential compromise hacks.
On Console, every member can sign in directly using their web wallet, and their identity will be queried on the blockchain directly from our app. There’s no need for third-party bots, which removes an entire class of bot-related vulnerabilities.
If you’d like to learn more about how Console can protect your Web3 community, follow us on Twitter @consoledao.
We hope to see you on Console soon!