On Monday, CityDAO—the group that bought 40 acres of Wyoming in hopes of "building a city on the Ethereum blockchain”—announced that its Discord server was hacked and members' funds were successfully stolen as a result.
"EMERGENCY NOTICE. A CityDAO Discord admin account has been hacked. THERE IS NO LAND DROP. DO NOT CONNECT YOUR WALLET," the project's Twitter account declared.
CityDAO is a "decentralized autonomous organization" that hopes to collectively govern a blockchain city, offering citizenship and governance tokens in exchange for the purchase of a “land NFT” bestowing ownership rights to a plot of land. Like many other cryptocurrency, NFT, and DAO projects, CityDAO’s community lives on Discord, a popular service chiefly designed for gamers but which has become an indispensable part of the crypto ecosystem. On Discord, CityDAO issues announcements, updates, answers questions, hosts a community, and issues alerts for “land drops,” or opportunities to buy NFTs that represent parcels of land.
The attack worked by compromising the Discord account of a moderator, a core-team member and early investor who goes by Lyons800. They detailed the angle of attack in a Twitter thread the following day.
First, the attacker posted a doctored screenshot showing a conversation with Lyons800 in another Discord server, claiming that he was scamming people there. Lyons800 offered to prove it wasn't him and got on a voice call with the scammer, who convinced the moderator to let them inspect their console. From there, the scammer obtained Lyons800's Discord authentication token that let them hijack the account. In a tweet, Lyons800 described this as "a ridiculous security breach from Discord."
From here, the scammer launched a webhook attack to exploit CityDAO and BaconDAO—a group that describes itself as an “investors guild” that educates its members—where Lyons800 is a co-founder. Webhooks are best thought of as tools that connect Discord servers to other websites, and are often used to send automated messages and updates.
The hacker used their control of Lyons800's account and Discord to issue fake announcements across channels with bots that carried malicious links for a fake "land drop" of CityDAO NFTs representing parcels of land.
Within the space of a day, the hacker's wallet received 29.67 ETH (just shy of $100,000), and has continued receiving funds. In the last 3 days, the hacker has transferred 20 ETH to the Tornado.Cash tumbler to hide where the funds eventually landed, and 11.6 ETH to another address. 14 ETH remain in the wallet. It's unclear if all of the funds are from CityDAO investors, and the address has been marked as a scam in the Etherscan explorer.
This isn’t the first webhook attack used to steal ETH from Discord communities. In October, a 17 year old was able to steal 88 ETH from the Discord channels of an NFT project named CreatureToadz, but returned it to avoid being publicly doxxed.
The ease with which funds were stolen and a community duped—most of the ETH transfers happened in the space of one hour—suggests that building a city on the blockchain might not be the wisest endeavor if you’re also using a gaming chat application to do everything. As Lyons points out, Discord seems to be the weakest link here as the breach used a ridiculous exploit that bypassed two factor authentication and his password. And yet, DAOs and NFT projects of all sorts rely on Discord as a way to reliably connect community members, announce updates, organize marketing campaigns, and vote on new proposals for their projects.
“And finally, be careful on @discord with your token and with users using non-ascii chars to fake usernames,” lyons warns at the end of his explanatory thread. “It is incredibly insecure and multiple exploits like this have happened across different servers. Dont put yourself at risk !”
“Discord takes the safety of all users and communities very seriously, including social engineering attacks like this one. While there are clear controls in place, we are always working to make it harder for these attacks to happen and continue to invest in education and tools to help protect our users,” Discord said in a statement to Motherboard. “Our Terms of Service prohibit conduct that is fraudulent or illegal or otherwise harmful to Discord or any other user, and our Trust & Safety team takes action when we become aware of this kind of behavior, including banning users and shutting down servers.”
CityDao did not respond to Motherboard’s request for comment.
This article has been updated with a statement from Discord.