Hacking. Disinformation. Surveillance. CYBER is Motherboard’s podcast and reporting on the dark underbelly of the internet.
Earlier this month, Josh Fraser, the founder of the Ethereum-based platform Origin, was poking around Discord, the chat app for gamers that’s become the go-to platform for crypto projects all over the world. What he found startled him.
Fraser wanted to see if he could set up an automatic script that would alert him every time users posted certain keywords in his server. He saw several private channels that he couldn’t access, but he was still able to see a lot of information about them. Despite being supposedly private channels, he was able to see their names, their description, and the channel’s full list of members.
Because Discord is used by tons of high profile (and obscure) crypto projects, this information could be used to figure out that a certain project is about to launch a new token, or is about to be listed on Coinbase (imagine a private channel called “Coinbase”), which can have significant impact on the price of a coin. The names and user lists of private channels can even expose people who are responsible for executing financial transactions through multi-signature wallets, according to Fraser.
“That could very easily dox someone who didn’t intend to be doxed,” Fraser told Motherboard in a call.
“Those [Discord] bots are a huge liability when it comes to security.”
Fraser’s research exposes a broader truth about cryptocurrency and the new Wild West of finance. While traditional financial communications take place over protocols like the highly secure (and expensive) Bloomberg Terminal or SWIFT, which catapulted into the public consciousness when Russia was banned from it, the most important messaging service in the world of crypto is Discord, which is a powerful chat app but was not designed from the ground up with security in mind.
Discord chats are not encrypted, public chat histories can be available to anyone who joins a channel, impersonation scams are common, and the security issue Fraser found remains a problem. Attempts by Discord to design specific features for crypto projects have been met with wide backlash from its main user base of gamers, many of whom find crypto reprehensible.
In the financial world, several firms use Instant Bloomberg, an application integrated in built to work with the Bloomberg terminal that runs on Bloomberg infrastructure and whose members’ identities are verified by the company. And the terminal requires a user’s fingerprint for login. But the app is costly (reportedly around $24,000 a year for a single terminal subscription), and it’s really designed for people in finance, who have different needs and constraints compared to DeFi and crypto. In practice that means the app is fully surveilled so that it’s compliant with financial regulations.
There’s also Symphony, an Instant Bloomberg competitor. But it’s also specifically built for financial firms, especially with compliance with existing regulations in mind, which don’t apply to crypto.
After discovering that private channels leaked potentially sensitive information, Fraser alerted Discord, but the company told him this is a known issue that cannot be fixed for now. So he wrote a thread on Twitter explaining what he had discovered in an attempt to warn the community. His thread quickly went viral, suggesting many people in crypto had no idea private channels leaked such sensitive information.
Discord was launched in 2015 and was created by Jason Citron (CEO) and Stanislav Vishnevskiy (CTO), two developers who had launched social apps for gaming before trying their hand at game development under the banner of Hammer & Chisel Inc. That resulted in a free-to-play game for tablets called Fates Forever that failed to become commercially successful and shut down shortly after. From there, Hammer & Chisel pivoted to developing Discord as a hub for gamers to talk and coordinate in-game tactics with a focus on user-friendliness, eventually becoming Discord Inc.
Eventually, the app—perhaps because of its UI and community features, ease of creating pseudonymous identities, and some cross-pollination between online communities—cemented itself as a hub for most crypto projects. Most NFT collections including Bored Ape Yacht Club call it their home and have thousands or tens of thousands of members in their servers, and DAOs (Decentralized Autonomous Organizations) have also proliferated.
It’s also become a hotbed for scammers targeting an industry that the app was never designed to support.
Crypto hacks can be executed devastatingly quickly (one wrong link is all it takes to irreversibly swipe someone’s holdings), and so hijacking a Discord server is an efficient way to target a large number of people at once. In the last few months alone, hackers have taken control of the official Discord servers of the uber-popular NFT collection Bored Ape Yacht Club, the NFT trading platform OpenSea, and several others.
In these cases, once a hacker had control over the servers, the scammers took control of the admin’s bots, which are trusted by the community. They then began posting fake announcements from these bots, tricking victims into giving up their cryptocurrency or NFTs.
“If that bot ever got compromised, the back end that controls the bot ever got compromised, that’d be fucking nasty,” the co-founder of blockchain security firm Zellic, who pseudonymously uses the name Stephen online, told Motherboard in a call. “Those bots are a huge liability when it comes to security.”
Do you have information about hacking groups targeting Discord servers? Or do you know of other web3 and crypto hacks? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wickr/Telegram/Wire @lorenzofb, or email firstname.lastname@example.org
Virtually every crypto project’s Discord server is filled with fake accounts sending private messages with phishing links to everyone in the server. If you don’t set your Discord account to only accept private messages from your contacts, there is no warning that pops up to tell you the message comes from someone you don’t know and it may be dangerous, a disclaimer that would make a huge difference and would be an easy solution, according to Stephen. Motherboard has joined a handful of crypto servers over the years and is regularly subjected to dozens of private messages from sketchy servers or containing phishing links.
Discord scams typically involve social engineering in addition to exploiting the app’s features. In the case of the hack that targeted the Bored Ape Yacht Club Discord server, the scammers took over admin accounts and posted a link to a fake NFT drop from YouTube, which tricked eager investors hoping to get in early on a new collection to give up control of their wallets.
The hackers who target Discord channels and users within them are becoming very well organized, which is something Discord isn’t ready for, according to Mitchell Amador, the CEO of blockchain security firm Immunefi.
“[Discord] is not built with the idea of enshrining secure communications, it is not built with the idea of thorough privacy in mind. It is not built with the idea of very focused almost [Advanced Persistent Threat] level attackers. Some of these scam groups must have dozens or hundreds of employees in them,” Amador told Motherboard in a call. “They’re effectively corporations that are professional and dedicated to achieving these outcomes. And they are just ripping through Discord. It was never built to protect against such a dedicated attacker who is targeting such a vast swathe of accounts.”
Jessy Irwin, a cybersecurity practitioner who works for a blockchain company, recently saw a novel kind of attack. If a hacker pays for Discord Nitro, a higher tier of Discord’s service, they are able to use different nicknames for different servers. Irwin told Motherboard that abusing that feature, someone impersonated her company’s CEO, using his name and account number.
“When our security team reached out to Discord support, they asked why we hadn’t reported it—and we learned that you have to have a DM from the attacker in order to report it to their global trust and safety team,” Irwin told Motherboard in an online chat. “So for a nominal fee, anyone can pull off an impersonation attack by renaming their account in a way that is nearly indistinguishable from a legit account.”
Ultimately, the problem is that Discord wasn’t designed as a communication platform for crypto or DeFi projects, Stephen said.
“Discord is built around gamers, that’s the original target audience. And that whole community has a lot of trauma from back in the old Skype days. When everyone was using Skype, it was very easy to extract someone’s IP address from their Skype,” he said. “And because of that, Discord is very careful to make it as difficult as possible to extract someone’s IP address from just talking over Discord. […] If you’re a whale with a million dollars, you don’t want to be broadcasting to the world: ‘Hey, I’m a person with a million dollars in my crypto wallet.’ That’s kinda dangerous.”
“[Discord] was never built to protect against such a dedicated attacker who is targeting such a vast swathe of accounts.”
Discord’s design for gamers, a large community of typically pseudonymous people who aren’t necessarily close friends or colleagues, makes it popular in the world of crypto and DeFi, which also value pseudonymity and trustlessness. However, those same factors make it easy for scammers to blend in. .
“[Discord] was designed for gamers, so large groups of people who don’t know each other and don’t trust each other. And that’s actually a much better model for crypto communities, which are large groups of people who don’t know each other and don’t really have any good reason to trust each other,” Fraser said.
Still, there are a lot of improvements Discord could make to appease the crypto world, where much more is at risk than tactics for online gaming. “The security concerns for gamers are very different from the high stakes world of crypto. And while Discord hasn’t done anything to stop crypto communities from coming in and using their product, they haven’t exactly welcomed us and been very accommodating for crypto either,” Fraser said.
When Discord has attempted to address this large section of its user base in the past, it hasn’t gone well. In November of last year, Discord’s CEO Jason Citron teased an upcoming feature where users could connect their crypto wallets in a tweet. The reaction from Discord users was so negative that Citron had to backpedal and said there are no plans to integrate Ethereum wallets on the platform.
A Discord spokesperson said that the company “takes the safety of all users and communities very seriously, including social engineering attacks like the ones you’ve shared. While there are clear controls in place, we are always working to make it harder for attacks to happen and continue to invest in education and tools to help protect our users.”
The spokesperson pointed to the platform’s terms of service, which prohibit fraudulent, illegal, and harmful activities, and said the trust and safety team often takes action by banning spammers and removing spam messages. When that happens, users get a warning when they receive a message from the spammer.
Moreover, Discord is testing a system that monitors servers for inauthentic behavior and can put them into “safe mode” which requires captchas to participate in the server. The company also has a system to remove malicious links and alert users if they open those kind of links, according to the spokesperson.
The company has also published two blog posts with advice on how users and servers administrators can protect themselves from scams and what kind of scams users should be aware of.
Discord channels getting inundated with phishing links by hackers is not the only danger on the platform. According Irwin, Discord has even become “a hotbed for malware distribution.”
Several cybersecurity companies have published reports detailing malware campaigns conducted on Discord, though they don’t always target crypto users. Irwin said that it’s difficult to really understand how big of a problem malware is on Discord because “so much of the malicious behavior doesn’t happen in the open on each server, actors can jump from server to server, it’s more difficult to get visibility into campaigns unless you’ve set up several honeypot user accounts on your server and you monitor them carefully.”
For now, there aren’t really any alternatives to Discord. Some crypto projects use Telegram, but the app doesn’t offer all the community features that Discord does. Crypto projects and companies have to make it work with Discord. And there are some crypto-focused tools that can help make servers more secure, which have popped up in the wake of the seemingly endless series of hacks.
There is a free tool called Good Knight, which promises to be “a first-of-its kind Discord security bot that uses innovative password protection technology to prevent malicious actions performed by hackers.” In practice, if Discord server admins use this bot, they can block anyone—including hackers—from posting links to the server that are not included in what effectively is an allow-list. When admins set up Good Knight, they have the option to give it more permissions than the admins, which prevents a hacked admin account from disabling the Good Knight bot. The bot also can force admins to use a password when they want to use commands for the server, according to Kyle Higdon, the developer of the tool.
The developer, who goes by Captain_Plantain on Twitter, told Motherboard that he suggests admins set up a “cold” admin account and a “hot” admin account. The difference between the two is that the “cold” one is used to manage the server, such as to add or remove bots and channels, and it shouldn’t be online often, reducing the risk of compromise. The “hot” one should not have administrator permissions so that even if it gets compromised, the hacker can’t kick out the Good Knight bot.
Another tool is called Collab.land, and it allows the administrators of Discord servers to only allow users who can prove they own the crypto asset that the Discord server (or Telegram channel) is about. In practice it’s a bot that can automatically approve users if they prove they own a specific crypto asset, and boot them out once they sell it. The company calls it “a concierge,” which requires the crypto project to have a crypto wallet installed, such as Metamask.
Some crypto projects have also built bots that serve a similar purpose. If you can’t prove you own the project’s token, you can’t access its Discord server.
Discord is king for now. But that might change in the future.
Amador said that is “very sure crypto will move on from Discord eventually.”
It wouldn’t be the first time the community has migrated to a new communications platform. At first, there was Bitcoin Talk, then Slack, then Telegram, and now Discord, Mitchell said. And despite the voice chat app Clubhouse briefly becoming a destination for crypto investors, the community has largely moved to Twitter Spaces for that purpose.
“The history of chat applications and crypto is kind of a long and winding path, deeply unpleasant,” Amador said. “Because it’s constantly about escaping scams and finding a safe place to build something together.”
Subscribe to our podcast, CYBER. Subscribe to our new Twitch channel.