CityDAO — the group that bought 40 acres of Wyoming in hopes of “building a city on the Ethereum blockchain” — announced this week that its Discord server was hacked and members’ funds were successfully stolen as a result. From a report: “EMERGENCY NOTICE. A CityDAO Discord admin account has been hacked. THERE IS NO LAND DROP. DO NOT CONNECT YOUR WALLET,” the project’s Twitter account declared. CityDAO is a “decentralized autonomous organization” that hopes to collectively govern a blockchain city, offering citizenship and governance tokens in exchange for the purchase of a “land NFT” bestowing ownership rights to a plot of land. Like many other cryptocurrency, NFT, and DAO projects, CityDAO’s community lives on Discord, a popular service chiefly designed for gamers but which has become an indispensable part of the crypto ecosystem. On Discord, CityDAO issues announcements, updates, answers questions, hosts a community, and issues alerts for “land drops,” or opportunities to buy NFTs that represent parcels of land.
The attack worked by compromising the Discord account of a moderator, a core-team member and early investor who goes by Lyons800. They detailed the angle of attack in a Twitter thread the following day. First, the attacker posted a doctored screenshot showing a conversation with Lyons800 in another Discord server, claiming that he was scamming people there. Lyons800 offered to prove it wasn’t him and got on a voice call with the scammer, who convinced the moderator to let them inspect their console. From there, the scammer obtained Lyons800’s Discord authentication token that let them hijack the account. In a tweet, Lyons800 described this as “a ridiculous security breach from Discord.” From here, the scammer launched a webhook attack to exploit CityDAO and BaconDAO — a group that describes itself as an “investors guild” that educates its members — where Lyons800 is a co-founder. Webhooks are best thought of as tools that connect Discord servers to other websites, and are often used to send automated messages and updates.