Incident Summary

At 0:19 AEST a moderator’s Discord account was compromised leading to permissions being changed, users banned, and a scam announcement posted in the #protocol channel.

Detection

The incident was detected very quickly by the community and the community manager was alerted at around 0:28.

Impact

The intruder proceeded to:

• Lock and change permissions on channels so no messages could be sent
• Disable Wick
• Ban Kron
• Ban Rocket Scientists
• Ban other members
• Posted a scam announcement about a fake airdrop in the #protocol channel

Response / Recovery

The community manager, first responder and compromised account, reached out to other team members and started containing the impact. They removed the scam announcement and revoked all other logins.

With the situation seemingly stabilised but the full extent of the compromise unknown, the priority was to maintain the status quo without risking any further attacks. Reinstating some banned accounts could be completed manually, but restoring the remaining server permissions and roles took several hours to complete.

Timeline

At 0:19 AEST, moderator’s Discord account was compromised
At 0:20 AEST, permissions changed on channels, Kron and Rocket Scientists banned
At 0:26 AEST, more permissions changed on channels and channels locked
At 0:28 AEST, community alerted the first responder (community manager) who reached out other team members and started containing the impact.
At 0:29 AEST, first responder immediately removed the scam announcement and reestablished some permissions over the channels.
At ~0:38 AEST, community started spreading the word on Twitter
At 0:39 AEST, more community members banned by intruder
At 0:43 AEST, more community members banned by intruder
At 1:17 AEST, first responder started unbanning community members
At 5:53 AEST, other admins became available to help with the server permission fixing
At 6:16 AEST, permissions reset for various channels and remaining members unbanned

Root Cause

At this stage the exact attack vector is unknown, but a malicious/compromised public wifi network is a likely culprit. Every moderator has 2FA in place so the likely cause is a session hijacking, through a compromised wifi (on mobile) or less likely an open Discord session on a sleeping laptop.

Further investigation is being conducted to gain more knowledge of the possible attack vector and ensure it cannot be used again.

Lessons Learned / Corrective Actions

What went well?
The incident was detected very quickly and the scam announcement was removed. Containment was conducted efficiently and carefully. The community did an amazing job of spreading the word on Twitter and generally watching out for each other.

What could be improved?
From a security perspective, the following corrective actions have been identified during root cause analysis:

• Do not use public wifi networks, use phone data instead, or ensure mobile VPN
• Close open Discord sessions at end of day

Although the community alerted the community manager quickly and the incident was dealt with swiftly our out-of-hours contact procedures could be improved.

Thanks for the Summary.
Do you have a copy of the scam announcement to share?

I find it unlikely that a public wifi usage can result in session token compromise, as I believe the Discord traffic is encrypted (I hope?). Although there are many easy to grab tools out there for stealing the session token using malware or well crafted links (e.g. Blank-Grabber, Creal-Stealer).

The fast response time is commendable! Thanks, as always, for providing an incident report.

@langers would you be able to tell us which users in particular were banned? Please feel free to reach out via DM if you feel that’s best.

Seemed like it was anyone that talked recently

i don’t really want to post it here but I know Jasper posted an image on Twitter. We did analyse the scam website and onchain activity and it was set up ~24 hours before the Discord activity.

Yes, malware or link is most likely. Although the compromised user is not aware of anything - we have also thought about PDFs which are pretty notorious.

We have taken precautions from a habits and Discord configuration perspective.

Thank you for helping and reaching out.

Kron and then the Rocket Scientists got banned first. Not sure what the pattern was after that but as @Valdorff said it looks like anyone talking at the time. That would make sense if you are trying push a scam and stop the community from reacting.