• Within a single day, the hacker stole 29.67 ETH from the community via webhook
• CityDAO is not the first victim of hacking: Fractal and Monkey Kingdom were also attacked within a month
• Vulnerability: According to Discord, it is working on closing the security gaps
On January 10th of this year, the crypto community CityDAO fell victim to a hacker attack. On Twitter, the “Blockchain City”, which was only founded in July 2021, warned its members against making transactions:
advertising
Use volatile market phases as a trading opportunity: trade cryptocurrencies directly with leverage now.
77% of retail investor accounts lose money when trading CFDs with this provider. You should carefully consider whether you can afford to take the high risk of losing your money
EMERGENCY NOTICE. A CityDAO Discord admin account has been hacked. THERE IS NO LAND DROP. DO NOT CONNECT YOUR WALLET.
– CityDAO (@CityDAO) January 10, 2022
However, it was already too late: According to the VICE information platform, the hacker was able to steal a total of 29.67 ETH (worth $100,000 at the time of the hack) within just one day, most of it in the first hour. In the following days he was still able to collect and hide ETH.
The hacker’s modus operandi: a webhook attack via Discord
The hack was implemented by Discord user Lyons800, who is apparently the moderator of the CityDAO Discord channel and co-founder of “Blockchain City”. Lyons800 confirmed this via Twitter and, like the user Little Lemon Friends linked by CityDAO on Twitter, explained how the attack on him and, as a result, the entire CityDAO community could be carried out.
First, the hacker chose a member (Lyons800) of the CityDAO Discord channel and then joined a second channel of which Lyons800 is also a member. The hacker got this other channel to block Lyons800 by providing false information, after which he got in touch with Lyons800 under the pretext of lifting the block. In a joint call, he asked his victim to share his screen and open an “inspection element” with ctrl+shift+i. Through this element, he apparently gained access to the entire Discord account of the CityDAO founder and was able to send a false announcement about purchase opportunities to the other members of the community as part of a so-called webhook attack.
1. A scammer first chooses one of your team members (the target).
2. Scammer goes into another discord server that the target is in.
3. Scammer tricks the other discord to ban the target by impersonating the target, pretending to scam community members for the other discord.
– Little Lemon Friends (@LittlelemonsNFT) January 3, 2022
4. After seeing the target has been banned from the other discord, scammer then impersonates as a mod from that discord & reaches out to the target via dms.
– Little Lemon Friends (@LittlelemonsNFT) January 3, 2022
5. Scammer asks the target to prove innocence.
Since the target sees that he/she was indeed banned from the other discord, leads target to believe that the scammer is a real mod.
– Little Lemon Friends (@LittlelemonsNFT) January 3, 2022
6. Scammer does some social engineering such as fake photoshopped discussions with other discord’s team members about target’s ban.
– Little Lemon Friends (@LittlelemonsNFT) January 3, 2022
7. Scammer gets on a discord call with target. Eventually gets target to screen share. Tells target to open inspect element by pressing ctrl+shift+i.
Inspct element has a discord token that scammer can use to take full control of target’s disc account. ^BYPASSES 2FA + passwords
– Little Lemon Friends (@LittlelemonsNFT) January 3, 2022
CityDAO is not the first victim: Discord appears to be a weakness of the NFT communities
This is the third major hack via Discord within a month: On December 21 last year, the platforms Fractal (the equivalent of a loss of around 150,000 US dollars, but according to the company those affected should have their money refunded) and Monkey Kingdom attacked by hackers. According to The Verge, members of the Monkey Kingdom community were stolen in total around 1.3 million US dollars. According to VICE, a 17-year-old hacker stole a total of 88 ETH from members of the CreatureToadz community via Discord back in October.
Peter Day, Senior Manager of Corporate Communications at Discord, was quoted by The Verge as saying on the issue in early January: “Discord takes the security of all users and communities very seriously, which includes such social engineering attacks. Although there are already clear controls are in place, we will continue to work to make these attacks more difficult and will continue to invest in education and tools to protect our users.”
Olga Rogler / Editor finanzen.net
Leverage must be between 2 and 20
No data
Image sources: Phongphan / Shutterstock.com, wael alreweie / Shutterstock.com