May 3, 2023

3 Security Lessons from the Eternl Wallet Discord Hack

For any Web3 project, a lively Discord server is a vital part of building a thriving community. For scammers, those servers are the holy grail: a single target with thousands of potential victims, all hoping to get a piece of the next big thing.

Discord hacks are nothing new to the web3 community. In just one month in 2022, the NFT community reportedly lost over $22 million to these kinds of cyber attacks. Victims of these attacks include top NFT projects such as Bored Ape Yacht Club, which reported to have 200 ETH stolen from their community during a Discord hack; more than $2.8 million at the time.

Eternl Wallet Discord Hack

Recently Eternl Wallet, one of the most used Cardano light wallets, fell victim to a Discord hack. At about 14:30 UTC on April 30th, hackers gained access to a privileged Discord account, and began spamming the announcements channel with messages containing a link to a fake Ethereum token airdrop.

A scam message sent by hackers in the Eternl Wallet Discord server
A scam message sent by hackers in the Eternl Discord server

The hackers targeted a user with administrator permissions with a phishing attack, a common method used by cybercriminal to gain unauthorized access to user accounts. They coerced the victim into joining a Discord server with a malicious verification bot which steals the user’s Discord token when they attempt to verify.

The Eternl team was able to regain control of their Discord server after about 30 minutes. Fortunately, the hackers were unable to entice any victims with their fraudulent airdrop messages.

How to Prevent a Discord Hack?

1) Follow the Principle of Least Privilege

The Principle of Least Privilege (PoLP) is a cyber security principle that states a user should only have access to the necessary data, applications, and resources that are needed for their task.

Applying this principle to a Discord server, users should only have the permissions that are strictly necessary for their role. A moderator, for example, might need permission to timeout and kick other server members, but they do not need permission to manage channel settings, invite bots, or create webhooks.

2) Think Before You Click

Many scams rely on their victim panicking and not thinking, that is why scammers often put some sort of time-pressure on the victim. Taking a moment to stop and think before you take action can be the deciding factor between becoming a victim and avoiding a scam.

A major project randomly DMing you to collaborate while inviting you to the Discord may be exciting, but does it make sense? Take the time to verify the user you are talking to is real and cross check official links from a verifiable website or social media account. If the offer is genuine, they will have no issues with you taking the time to verify that you can trust them.

3) Use Scam Prevention Tools

Discord and Web3 in general can be a scary place. Fortunately, there are tools designed to prevent scams like SecurityBot that help make your community a safe place for everyone.

Even in the case of an account breach, SecurityBot has features to mitigate any impact. The Channel Lock feature provides a second layer of protection for your Discord server, requiring a password before sending messages in locked channels. The new webhook alerts feature will notify you whenever a webhook is created or updated, allowing you to easily delete them if they are suspicious.