Our Discord Was Hacked: Here’s How We’re Dealing With It
This post will serve as a look into what happened, how it could have been prevented, how we’re making it right today, and the preventative measures we will be taking to ensure it doesn’t happen again.
As Project Founders, This Falls On Us
As you probably heard by now, our Discord server was hacked around 3am EST on Tuesday Dec 21. Scammers entered our server by compromising one of our high-ranking mods, banned us, locked all text channels, and proceeded to scam our community out of a few dozen ETH through a fake minting link.
Admitting fault is hard, but it’s important. As the Founders of the project, 100% of this blame falls on us. Our community has trusted us to build a fun, secure business that we can all watch grow.
Make no mistake, this will be nothing more than a blip on the radar for our company. We will come back from this better and stronger. The Writer’s Room has massive plans to disrupt how content is created and distributed in the Web3 era. That being said, it’s horrible to think about how many of our community members were affected by this scam.
That’s why we will be refunding 100% of the wallets determined to be legitimate victims of this scam. More on this below.
Mistake #1: Server Ownership + Mod Permissions
Before I ever started writing my stories as the valet at the BAYC, I knew how much community mattered in the Web3 era. I aped into the Bored Ape Yacht Club and began to write simply because I wanted to contribute to that community.
When my stories started to grow, I realized that I had an opportunity to build a community of my own. The first iteration of The Writer’s Room — before the mint, before anything else — was a Discord Server.
I certainly didn’t know how to build one and neither did SAFA, so we hired someone to build the server for us. They did an awesome job, and we all gathered there for months. We were in Discord together for the mint on August 4th; for the CAA announcement; for Neil joining us; for the opening of our member-only portal; for the famous Metaheroman sweep; and everything in between. Discord has been our home through ups and downs.
We made a huge mistake when we set up the discord server though. We didn’t have the person who built the server transfer server ownership to us. We thought that we’d be safe simply by giving ourselves the highest level of permissions. Yesterday, this proved to be a crucial error.
You see, a Discord server owner can never be banned and they cannot have their permissions changed. In other words, if your server gets hacked, you really want to be the server owner so you can take control back over your server from whoever has hacked you. SAFA and I are now server owners for the Jenkins the Valet server which is a crucial (and obvious) line of defense that every community should have. We have the appropriate security measures in place. If we had been the server owners, then when we woke up we would have been able to regain control. We left that privilege with a trusted mod.
Our Mod(server owner at the time) was tricked into sharing critical information on Discord. They live in the Web3 community and spend all day in Discord. They take security seriously. It only took one mistake to become compromised.
This is how it happened:
- Our server owner received a direct message from users Dots#4460 and Tactic#0005 who said our server owner was being banned from another server for scamming
- Our server owner disagreed and suggested they had the wrong person. Our server owner suggested that maybe they had been impersonated.
- Dots#4460 and Tactic#0005 asked our server owner to share their screen to prove they did not have any messages that would constitute a scam.
- Our server owner, in a lapse of judgment, shared their screen.
- Dots#4460 and Tactic#0005 said they needed to see the “deleted messages log” and instructed our server owner to open up Chrome Developer Tools and copy some information to the HAR (HTTP Archive).
- Our server owner did it and the hackers had the information they needed to compromise his account and take control of our server.
The HAR can contain tons of sensitive information and should never be shared. Sometimes logic goes out the window when you feel like you’re being accused of something and want to prove your innocence. Sometimes you make mistakes.
Project founders should examine the permission level that all of their Mods have. If a Mod is compromised, what would be the ramifications? Who can they ban? Who can they grant Mod permissions to? Who can they create new roles for? If they can ban the Founders, and they can grant Admin permissions to their accomplices, this is a recipe for disaster. Additionally, Mods should not have Webhooks permissions. Ever.
Our mod learned the hard way yesterday that no matter the perceived consequences, you should never, ever, ever, ever share personal information, passwords, seed phrases with anyone on the internet. It’s not worth it. Even if you think you’re going to be banned from a Discord server that you love, the potential consequences are just not worth the gain. There will always be another server to join, but you can’t recover what a hacker steals from you or others.
Mistake #2: Limited Time Zone Coverage
Scammers will watch from within your server for days. They will learn when you go to sleep and when you wake up. They learn when your server is most defenseless.
They waited until the middle of the night EST to execute their operation. They’d been going for nearly 4 hours by the time we woke up to discover what had happened.
At this point, if we’d been the server owners, we could have taken steps to recover, but of course we were not. It took many more hours, negotiations, and more to regain control of our server.
To summarize, how we were hacked:
- We were not the server owners even though we should have been
- Our server owner accidentally had their account compromised
- The hackers waited until the middle of the night when we didn’t have support online
By the time we woke up, we were hours behind with no clear path to resolution.
How the hackers scammed our members
Once the hackers controlled our server, they created a fake “Jenkins the Valet” username in Discord and granted him an official role. They made an announcement about a stealth drop happening right away. This announcement came from an official #announcements channel, despite being from the fake Jenkins account. They launched a site that had a similar URL to our website. They hosted a Discord Stage to talk about the drop and they had their fellow hackers come on stage to talk about their (fake) success minting it to drum up support. They banned anyone who spoke up.
It was a sophisticated hack and they covered many bases. Even though the drop was off-brand for me and SAFA, it caused a lot of members to mint. We all know that FOMO is a hell of a drug, especially when you’re sleep deprived.
Luckily for us and our community, the implementation of the scam was not as sophisticated as the Discord hack. There was no malicious smart contract that our users interacted with. Instead they simply interacted with another wallet, effectively transferring ETH from their own wallets to a scammer wallet.
All told, the scam was not successful and it will be nothing but a speed bump for us and our community. We are working with the authorities to press charges, and we will not relent. We are not able to comment any further on this aspect.
Today we are grateful that it was not worse. Our members could have had their wallets cleaned out. We are all lucky that was not the case.
To figure out where we go from here, we need to remember how we got here:
- Our server owner, who was neither me nor SAFA, had their account compromised
- Hackers took over our discord in the middle of the night
- They set up a similar URL to our own and drove members to mint there
- The mint ended up simply transferring ETH to their wallets
Each of these steps could have been avoided, and we plan to address each one. Below is what we’ve done, and will continue to do on an ongoing basis.
Permissions Strip, 3rd Party Security Audit, Full Rebuild: After regaining control yesterday, we started the server from ground zero. We’d like to give a huge shoutout to GFunk and VGF from Pixel Vault who introduced us to a trusted CM on a moment’s notice to help. We immediately scoured the audit log for all of the bad actors and anyone who may have been associated with them. We ensured that all of them were banned and we stripped all permissions from every single user, except for myself and SAFA. This allowed us to rebuild with maximum security. We have the appropriate hierarchy and set of permissions in place in the event that anyone is compromised. We recommend doing frequent audits of permissions, as well as monitoring the audit log for any suspicious activity (you can filter by action).
Server ownership: We have transitioned server ownership to us, the project founders. We have also installed additional bots which act as a line of defense to keep the server safe in the event of an attack. We will be purchasing a single-use device whose only purpose is to have a Discord account that remains offline but holds server ownership. The account would never log in anywhere else and would be kept somewhere safe. While this is an extreme step to make sure the server owner cannot be compromised, we urge communities to consider this level of security. Think about what you’d want if you ever were caught off guard by malicious hackers.
24/7 Discord moderation: We are beginning a search for 24/7 Discord Moderation. There is no excuse not to have 24/7 moderation in Discord. If nothing else, we are so proud of the fact that our Writer’s Room members are distributed globally. Our members across the globe should have moderators during their peak hours, and we will all benefit from users with enhanced permissions being online when SAFA and I are asleep. We’ll also make sure these moderators have a direct line to each of us with an audible phone ring so that they can wake us in the middle of the night if something goes wrong.
Upcoming launches: We will continue to give tons of notice to our Writer’s Room members and the Web3 community at large before we bring anything new to market. If you know us, you know we are careful with our brand and how we roll out new launches. We may surprise and delight members with free-to-claim perks on short-ish notice, but we will never ask you for money in a secret, surprise drop. You will know it’s coming, and we will make sure that we reinforce that messaging.
Processing refunds for those who were scammed: We will be refunding all wallets who legitimately fell victim to the scam. This is on us for letting this happen and we are committing to making our members whole. We are devastated for our community members who fell victim to this scam. Some members were new to the Writer’s Room and we can’t believe this was one of their first experiences with us.
Please use this Google Link [REDACTED] to share the necessary information with us. We will be working with a 3rd party to audit the validity of all claims and be sure we are refunding the people who deserve to be refunded.
We Will Rise
When we reflect on what happened to get us into this situation, we are reminded of how often we see scams like this within our greater Web3 community. We were not the first community to be exploited, but we hope that the information shared here can make us the last.
If we all protect ourselves, and if we protect each other within our trusted communities, we can make Web3 a safer place. There is nothing like Web3 and the brilliant people who occupy it. We are all blessed to be at the forefront of such an exciting movement. It’s up to all of us to ensure that it is a welcoming place for newcomers so that we can achieve the level of adoption we all know is possible. Protect yourself, protect your friends, and never share personal information. If it feels fishy, it probably is.
There is nothing that will stop The Writer’s Room. We have so many exciting things ahead and an amazing community supporting us. This will not break us and this will not define us. A huge thank you to all members who Tweeted, tried to alert others, and stood by our side. Our treasury is safe, our website is safe, our smart contract is safe, and licensing is safe. Everything that makes The Writer’s Room what it is, is safe.
Now that The Writer’s Room has been through the ringer, we are better equipped to support anyone else going through this. Please reach out if you have questions about personal or project security.
Today, we rebuild. Because We Are Book People.