On Monday, CityDAO—the group that bought 40 acres of Wyoming in hopes of “constructing a metropolis on the Ethereum blockchain”—introduced that its Discord server was hacked and members’ funds have been efficiently stolen consequently.
“EMERGENCY NOTICE. A CityDAO Discord admin account has been hacked. THERE IS NO LAND DROP. DO NOT CONNECT YOUR WALLET,” the undertaking’s Twitter account declared.
CityDAO is a “decentralized autonomous group” that hopes to collectively govern a blockchain metropolis, providing citizenship and governance tokens in change for the acquisition of a “land NFT” bestowing possession rights to a plot of land. Like many different cryptocurrency, NFT, and DAO tasks, CityDAO’s group lives on Discord, a well-liked service mainly designed for players however which has change into an indispensable a part of the crypto ecosystem. On Discord, CityDAO points bulletins, updates, solutions questions, hosts a group, and points alerts for “land drops,” or alternatives to purchase NFTs that characterize parcels of land.
The assault labored by compromising the Discord account of a moderator, a core-team member and early investor who goes by Lyons800. They detailed the angle of assault in a Twitter thread the next day.
First, the attacker posted a doctored screenshot exhibiting a dialog with Lyons800 in one other Discord server, claiming that he was scamming folks there. Lyons800 provided to show it wasn’t him and received on a voice name with the scammer, who satisfied the moderator to allow them to examine their console. From there, the scammer obtained Lyons800’s Discord authentication token that allow them hijack the account. In a tweet, Lyons800 described this as “a ridiculous safety breach from Discord.”
From right here, the scammer launched a webhook assault to take advantage of CityDAO and BaconDAO—a gaggle that describes itself as an “investors guild” that educates its members—the place Lyons800 is a co-founder. Webhooks are finest considered instruments that join Discord servers to different web sites, and are sometimes used to ship automated messages and updates.
The hacker used their management of Lyons800’s account and Discord to problem pretend bulletins throughout channels with bots that carried malicious hyperlinks for a pretend “land drop” of CityDAO NFTs representing parcels of land.
Throughout the area of a day, the hacker’s wallet obtained 29.67 ETH (simply shy of $100,000), and has continued receiving funds. Within the final 3 days, the hacker has transferred 20 ETH to the Twister.Money tumbler to cover the place the funds finally landed, and 11.6 ETH to a different tackle. 14 ETH stay within the pockets. It is unclear if all the funds are from CityDAO buyers, and the tackle has been marked as a rip-off within the Etherscan explorer.
This isn’t the primary webhook assault used to steal ETH from Discord communities. In October, a 17 yr previous was capable of steal 88 ETH from the Discord channels of an NFT undertaking named CreatureToadz, however returned it to keep away from being publicly doxxed.
The benefit with which funds have been stolen and a group duped—many of the ETH transfers occurred within the area of 1 hour—means that constructing a metropolis on the blockchain may not be the wisest endeavor when you’re additionally utilizing a gaming chat utility to do every thing. As Lyons factors out, Discord seems to be the weakest link right here because the breach used a ridiculous exploit that bypassed two issue authentication and his password. And but, DAOs and NFT projects of all sorts depend on Discord as a strategy to reliably join group members, announce updates, arrange advertising and marketing campaigns, and vote on new proposals for his or her tasks.
“And at last, watch out on @discord along with your token and with customers utilizing non-ascii chars to pretend usernames,” lyons warns on the finish of his explanatory thread. “It’s extremely insecure and a number of exploits like this have occurred throughout completely different servers. Dont put your self in danger !”
CityDao and Discord didn’t instantly reply to Motherboard’s request for remark.