Post mortem of March Discord Hack
During the tail end of March, one of our Discord community moderators has been targeted in an intricate social engineering hack, and lost access to her account.
The scammers have taken control of a large part of the RMRK discord, deleted some channels, and posted fake announcements with a phishing link.
The hack originated in the V1 Punks Discord, but every server where this person had mod or admin rights was affected.
Luckily, the damage on the RMRK side of the community was small (16k USD total). While everyone needs to take responsibility for links they click and transactions they sign, RMRK cares about our community and consequently we have refunded those affected either partially or in full, or through compensation, depending on their engagement in the community and damage suffered. Refunding for matters like this will not be something we do again, so please carefully read the points below.
It goes without saying that basic opsec should be observed to stay safe at all times. Follow these basic rules:
- do not use Discord's web app. Only use Discord's standalone app. That app is also just a packaged up browser, but its context is isolated so the 2FA session is not in localstorage up for grabs to any enthusiastic hacker.
- always double check announcements with additional official channels before aping in. We will NEVER post something so time-sensitive that you need to react immediately.
- always be extra skeptical if any announcement is published that has anything to do with Ethereum. We do not launch on Ethereum, and if we ever do, announcements far more official and permanent than Discord messages will be made well ahead of time.
- keep your high value NFTs and FTs on a separate stash wallet. Long-term holds should be far away from your hot wallet. So if you know you like to impulsively click on links and sign transactions on random websites, please do this using a wallet that contains nothing of value.
- no team member of RMRK will ever ask you for any financial aid in any way, nor will we ever ask you to "verify your W A L L E T". In fact, you can be sure that all DMs from "us" are scams.
- if an offer/announcement seems too good to be true, 99% of the time it is. You won't be winning anything by clicking on it, but some scammer will be winning your precious crypto.
This was neither the first Discord hack nor will it be the last. Until Discord and Telegram add adequate protection methods, and until basic opsec becomes second nature to most people, this sort of stuff will keep happening, and the refund we did in this case should be considered an exception, not precedent.
Remember, in web3, you are your own bank. Be careful!