The attack was the latest on Discord and is a growing concern for the vast majority of the DAO and NFT communities living there.
On Monday, CityDAO, the group that bought 40 acres of Wyoming in hopes of “building a city on the Ethereum blockchain,” announced that its Discord server was hacked and members’ funds were successfully stolen as a result. .
“EMERGENCY NOTICE. A CityDAO Discord admin account has been hacked. NO GROUND OUTPUT. DO NOT CONNECT YOUR WALLET,” the project’s Twitter account stated.
CityDAO is a “decentralized autonomous organization” that hopes to collectively rule a blockchain city, offering citizenship and governance tokens in exchange for the purchase of a “land NFT” that grants ownership rights to a parcel of land. Like many other cryptocurrency, NFT, and DAO projects, the CityDAO community lives on Discord, a popular service designed primarily for gamers, but which has become an indispensable part of the crypto ecosystem. On Discord, CityDAO issues announcements, updates, answers questions, hosts a community, and issues alerts about “land dumps” or opportunities to purchase NFTs that represent parcels of land.
The attack worked by compromising the Discord account of a moderator, a core team member, and an early investor who runs Lyons800. They detailed the angle of attack in a Twitter thread the following day.
First, the attacker posted a doctored screenshot showing a conversation with Lyons800 on another Discord server, claiming that he was scamming people there. Lyons800 offered to prove it wasn’t him and made a voice call with the scammer, who convinced the moderator to let them inspect his console. From there, the scammer obtained Lyons800’s Discord authentication token which allowed them to hijack the account. In a tweet, Lyons800 described this as “a ridiculous Discord security breach.”
From here, the scammer launched a webhook attack to exploit CityDAO and BaconDAO, a group that describes itself as an “investor guild” that educates its members, co-founded by Lyons800. Webhooks are best thought of as tools that connect Discord’s servers to other websites, and are often used to send automated messages and updates.
The hacker used his control of the Lyons800 and Discord account to broadcast fake advertisements through channels with bots carrying malicious links for a fake CityDAO NFT “land drop” representing parcels of land.
In the space of a day, the hacker’s wallet received 29.67 ETH (a mere $100,000) and has continued to receive funds. In the last 3 days, the hacker transferred 20 ETH to the Tornado.Cash cup to hide where the funds ultimately landed, and 11.6 ETH to another address. 14 ETH left in the wallet. It is not clear if all the funds come from CityDAO investors and the address has been flagged as a scam on the Etherscan explorer.
This is not the first webhook attack used to steal ETH from Discord communities. In October, a 17-year-old was able to steal 88 ETH from the Discord channels of an NFT project called CreatureToadz, but returned it to avoid being publicly misled.
The ease with which funds were stolen and the community fooled (most ETH transfers occurred within the space of an hour) suggests that building a city on the blockchain might not be the smartest endeavor if it too you are using a game chat app to do everything. As Lyons points out, Discord appears to be the weakest link here, as the breach used a ridiculous exploit that bypassed two-factor authentication and your password. And yet, DAO and NFT projects of all kinds rely on Discord as a trusted way to connect community members, announce updates, organize marketing campaigns, and vote on new proposals for their projects.
“And finally, be careful on @discord with your token and users using non-ASCII characters to spoof usernames,” Lyons warns at the end of his explainer thread. “It is incredibly insecure and there have been multiple exploits like this on different servers. Don’t put yourself at risk!”
“Discord takes the safety of all users and communities very seriously, including social engineering attacks like this one. While clear controls are in place, we’re always working to make it harder for these attacks to happen and continue to invest in education and tools to help protect our users,” Discord said in a statement to Motherboard. “Our Terms of Service prohibit conduct that is fraudulent, illegal, or harmful to Discord or any other user, and our Trust & Safety team takes action when we become aware of this type of behavior, including banning users and shutting down servers.”
CityDao did not respond to Motherboard’s request for comment.