Read on Twitter
Discord Security Tip What to do when the worst happens and your Discord server does get compromised?
This thread will cover what you should do as an admin or a server owner during all stages of a Discord compromise and fake mint/airdrop phishing scam.
Ongoing AttackFirst, take a screenshot of the fake announcement - we will need this for later. Try to delete the fake announcement, follow this up by banning the user who was posting the announcement.
Go to Server Settings->Integrations, remove all webhooks.
Send a message to all of your team members/moderators to change their password immediately. Best if sent not over Discord DM.
If you were unable to ban the user who was compromised, you need either the server owner to ban them or for the user to change their password.
If you were unable to ban the user who was compromised, you need either the server owner to ban them or for the user to change their password.
Next - review all roles, look for any roles with dangerous perms (admin/webhook/roles) toggle them off by hitting clear permissions.
The attackers will give roles to their alts, to keep the attack ongoing for as long as possible. Removing perms is fastest way to deal with that.
The attackers will give roles to their alts, to keep the attack ongoing for as long as possible. Removing perms is fastest way to deal with that.
While going through roles, remove all permissions from Bot roles as well.
This will bypass any malicious bots or changed Bot settings - we will still review changed settings but this is the fastest way to react.
Bots could be used to re-role users or potentially change perms.
This will bypass any malicious bots or changed Bot settings - we will still review changed settings but this is the fastest way to react.
Bots could be used to re-role users or potentially change perms.
Delete your announcement channel. Because of how Discord works, sometimes the scam messages will still appear for people when they first open their Discord.
Deleting the announcement channel is the only way to limit more losses.
Check webhooks one more time after doing this.
Deleting the announcement channel is the only way to limit more losses.
Check webhooks one more time after doing this.
Go back to Server Settings -> Integrations.
Review all installed Bots. Anything added within a day or two, click manage, and then remove integration.
Attackers occasionally will install their own bots on the server, we must remove these (even though they are now powerless).
Review all installed Bots. Anything added within a day or two, click manage, and then remove integration.
Attackers occasionally will install their own bots on the server, we must remove these (even though they are now powerless).
Next we need to go to Server Settings -> Audit Log
Scroll back to when the attack started, and look through what the compromised account changed, any alts that were granted roles, ban those accounts.
Make a short note of anything modified so you can check it later.
Scroll back to when the attack started, and look through what the compromised account changed, any alts that were granted roles, ban those accounts.
Make a short note of anything modified so you can check it later.
For any Bot in your server that had any elevated permissions (manage roles, admin, etc).
Visit the dashboard, check built in logs to see what settings were changed.
If the bot does not have a log, consider removing the bot or review all the settings manually.
Visit the dashboard, check built in logs to see what settings were changed.
If the bot does not have a log, consider removing the bot or review all the settings manually.
Following the audit log review:
1. Check perms on any roles changed (that you didn't already clear perms on)
2. Check perms on any channels changed - if they changed perms on all channels, drag channels to an archive category with no permissions on it and sync channels to it.
1. Check perms on any roles changed (that you didn't already clear perms on)
2. Check perms on any channels changed - if they changed perms on all channels, drag channels to an archive category with no permissions on it and sync channels to it.
Remove all Team members from their (now powerless) roles, grant their roles back later after they confirmed on a different avenue of communication that they changed their password.
After the attack...Go to Server Settings -> Custom Invite Link
Ensure your Vanity URL was not changed, if it was, update your public facing Discord invite link and message Discord's customer support.
Check all your non-vanity public invite links, make sure they're all good
Give Team/Mod roles back minimum permissions needed until full review of server is completed. Re-add team members who changed their password to their old roles.
Make a new fresh announcement channel (don't clone!) and post an announcement explaining the situation. Communicate.
Make a new fresh announcement channel (don't clone!) and post an announcement explaining the situation. Communicate.
Review your screenshot you took of the fake announcement - on a different device not connected to your Discord account, go to the fake site, initiate a transaction (don't sign it obviously) so you can figure out the attacker's wallet.
Write down the wallet somewhere.
Write down the wallet somewhere.
Post on Twitter as well that there was a compromise and that the server is back under control.
Post resources for your affected community members to understand how to revoke approvals (psst: https://twitter.com/Jon_HQ/status/1534261731152695297)
Set up a meeting with the team to talk about next steps.
Post resources for your affected community members to understand how to revoke approvals (psst: https://twitter.com/Jon_HQ/status/1534261731152695297)
Set up a meeting with the team to talk about next steps.
Restitution + Next StepsGet some sleep. This is an incredibly stressful situation and will cause anyone to start making mistakes after dealing with it.
Once you got some rest, there are a couple options about how to deal with community members who lost funds or NFTs:
1. Do nothing. Don't pay them back.
This will look incredibly poorly on your project. Even if you're pre-mint, or your company isn't doing an NFT sale, there are other options you can take to try to make it up to the community.
An NFT project is its community. Endstop.
This will look incredibly poorly on your project. Even if you're pre-mint, or your company isn't doing an NFT sale, there are other options you can take to try to make it up to the community.
An NFT project is its community. Endstop.
2. Pay back just ETH lost in the scam
This is less and less of an option as scammers switch almost exclusively to NFT drainer websites. Most of the value stolen now from scams are through stolen NFTs, not transferred ETH. But for a project with limited funds this could work.
This is less and less of an option as scammers switch almost exclusively to NFT drainer websites. Most of the value stolen now from scams are through stolen NFTs, not transferred ETH. But for a project with limited funds this could work.
3. Pay back all funds lost
This is the hardest pill to swallow. But if you go down this path, the number 1 thing I recommend is to have your restitution form be through @PREMINT_NFT - you can verify their Discord/Twitter/Address all at once.
Manually review each entry. cont...
This is the hardest pill to swallow. But if you go down this path, the number 1 thing I recommend is to have your restitution form be through @PREMINT_NFT - you can verify their Discord/Twitter/Address all at once.
Manually review each entry. cont...
Make sure each person is legit. Make sure they post on Twitter, they didn't join your Discord a day ago.
You want restitution to go back to victims, not alt accounts potentially owned by the phishers.
Past that - put a time cap on your restitution process, just to have an end.
You want restitution to go back to victims, not alt accounts potentially owned by the phishers.
Past that - put a time cap on your restitution process, just to have an end.
4. Issue an NFT or grant WL spots to victims
If you're pre-mint/don't have funds to issue full refunds, you can grant victims additional WL allocation or even give them a free mint NFT to hopefully recover some funds lost.
This obviously throws a hitch in a project's plans.
If you're pre-mint/don't have funds to issue full refunds, you can grant victims additional WL allocation or even give them a free mint NFT to hopefully recover some funds lost.
This obviously throws a hitch in a project's plans.
After you as a team have formed your restitution plan - it is incredibly important to figure out how the team member who got compromised got phished.
If it is not something apparent like a bookmarklet scam, scanned QR code, or screenshare.
Reach out to a professional to review.
If it is not something apparent like a bookmarklet scam, scanned QR code, or screenshare.
Reach out to a professional to review.
There is a small but real potential that they were hit with malware or something similar.
Until the source of the compromise is found, assume they will remain compromised until it is discovered or they do a full computer wipe.
I cannot stress this enough.
Until the source of the compromise is found, assume they will remain compromised until it is discovered or they do a full computer wipe.
I cannot stress this enough.
Lastly - after all of the above...
The other thing you should do is focus on making sure this never happens again.
Reach out to a @server_forge approved Discord auditor (like me!). And have someone review your server and set up safeguards to prevent this from happening again.
The other thing you should do is focus on making sure this never happens again.
Reach out to a @server_forge approved Discord auditor (like me!). And have someone review your server and set up safeguards to prevent this from happening again.
