On Monday, CityDAO, the group that bought 40 acres of Wyoming in hopes of “building a city on the Ethereum blockchain,” announced that its Discord server was hacked and member funds were successfully stolen as a result. .
“EMERGENCY NOTICE. A CityDAO Discord admin account has been hacked. NO GROUND OUTPUT. DO NOT CONNECT YOUR WALLET,” the project’s Twitter account stated.
CityDAO is a “decentralized autonomous organization” that hopes to collectively govern a blockchain city, offering citizenship and governance tokens in exchange for the purchase of an “NFT land” that grants ownership rights to a parcel of land. Like many other cryptocurrency, NFT, and DAO projects, the CityDAO community lives on Discord, a popular service designed primarily for gamers, but one that has become an indispensable part of the crypto ecosystem. On Discord, CityDAO issues announcements, updates, answers questions, hosts a community, and issues alerts about “land dumps” or opportunities to purchase NFTs representing parcels of land.
The attack worked by compromising the Discord account of a moderator, a member of the core team, and an early investor passing Lyons800. They detailed the angle of attack in a Twitter thread the next day.
First, the attacker posted a doctored screenshot showing a conversation with Lyons800 on another Discord server, claiming he was scamming people there. Lyons800 offered to prove it wasn’t him and made a voice call with the scammer, who convinced the moderator to let them inspect his console. From there, the scammer obtained Lyons800’s Discord auth token which allowed them to hijack the account. In a tweet, Lyons800 described this as “a ridiculous Discord security breach.”
From here, the scammer launched a webhook attack to exploit CityDAO and BaconDAO, a group that describes itself as an “investor guild” that educates its members, where Lyons800 is a co-founder. Webhooks are best considered as tools that connect Discord servers with other websites and are often used to send automated messages and updates.
The hacker used his control of the Lyons800 and Discord account to broadcast fake advertisements via channels with bots carrying malicious links for a fake CityDAO NFT “land drop” representing parcels of land.
In the space of a day, the hacker’s wallet received 29.67 ETH (just $100,000) and has continued to receive funds. In the last 3 days, the hacker transferred 20 ETH to the Tornado.Cash cup to hide where the funds finally landed, and 11.6 ETH to another address. There are 14 ETH left in the wallet. It is not clear if all the funds come from CityDAO investors and the address has been flagged as a scam on the Etherscan explorer.
This is not the first webhook attack used to steal ETH from Discord communities. In October, a 17-year-old was able to steal 88 ETH from the Discord channels of an NFT project called CreatureToadz, but returned it to avoid being publicly misled.
The ease with which funds were stolen and the community duped (most ETH transfers occurred in the space of an hour) suggests that building a city on the blockchain might not be the smartest endeavor if you are also you are using a game chat app to do everything. As Lyons points out, Discord seems to be the weakest link here, as the breach used a ridiculous exploit that bypassed two-factor authentication and your password. And yet, DAO and NFT projects of all kinds rely on Discord as a trusted way to connect community members, announce updates, organize marketing campaigns, and vote on new proposals for their projects.
“And finally, be careful on @discord with your token and users using non-ASCII characters to spoof usernames,” Lyons warns at the end of his explanatory thread. “It is incredibly insecure and there have been multiple exploits like this on different servers. Don’t put yourself at risk!”
“Discord takes the security of all users and communities very seriously, including social engineering attacks like this one. While clear controls are in place, we are always working to make it harder for these attacks to happen and continue to invest in education and tools to help protect our users,” Discord said in a statement to Motherboard. “Our Terms of Service prohibit conduct that is fraudulent, illegal, or harmful to Discord or any other user, and our Trust & Safety team takes action when we become aware of this type of behavior, including banning users and shutting down servers. ”.
CityDao did not respond to Motherboard’s request for comment.
This article has been updated with a statement from Discord.