Almost every day in the web3 space, we hear about folks being rugged, scammed, phished, hacked, and more. Even though some of us have been here for a while now, we are still surprised when things go pear-shaped for certain projects and/or individuals in the space. It’s the wild west out here on trustless networks, and we are still on web2 technology that is incredibly exploitable.

On a day where Zeneca_33 had their twitter account phished, and multiple projects lost control of their Discord servers, we were all thinking about this tweet the day prior from Yuga Labs:

And so this bullshit finally happened to us. And I’m going to tell you the story of how it happened, and what our takeaways are from the situation, now that we’ve dealt with it firsthand. I’ll start from the beginning.

Around 3-4 months ago, we reconfigured a ton of things on the Discord server, in anticipation of the coming Pillheads Generative mint. About a month after that, we revisited the setup, and beefed up some security measures, as we noticed a sudden spike in Discords being compromised, as well as more rugged NFT projects coming out, where their dogsh*t looking minters would drain wallets after signed interactions.

Part of our security measures were to reduce permissions for some roles, continue encouraging everybody on the team to change passwords, and also to introduce some new preventative measures in the form of bots. We were aware that the vast majority of compromised servers were the result of mods and/or other lead roles in projects having their personal accounts phished, or otherwise compromised.

I’ve always been nervous about security on the web - ever since the early 90s. Not much has changed between then and now; the vast majority of attacks where somebody loses control of their accounts are a result of social engineering. I consistently yell “PEBKAC,” about anything that goes wrong on the web.

How did events play out?

So, when my phone started blowing up at roughly 6PM ET on Tuesday, July 19th, and I saw messages rolling in from close friends in the space saying “DISCORD HACKED,” “DISCORD UNDER ATTACK,” and “PH DISCORD GETTIN REKT,” my reaction was initially somewhere between pure panic and really hard facepalming. The realization that this bullshit had happened to us hit me hard.

I had to be sure: was it my Discord setup that was compromised? Did I give a bad player in the space the wrong permissions recently? Did I get phished? Could it be I got SIMjacked? I went through dozens of scenarios in my head before doing anything. The message notifications on my phone started getting a little crazy.

So I took a deep breath and opened up Discord on my laptop. I immediately went to the Ph Discord, and noticed a ton of scammy links in announcements, a bunch of people calling errant behavior out, and a bunch of mismatched roles in the right sidebar for users. I checked wickbot to see why it wasn’t doing its job; after all it exists for this purpose. It should be catching mass role changes, repetitive messages and link sharing, and a slew of other things.

Wickbot was gone, I was locked out of web frontends for all of the bots, and there were some very not-CFW-like comments and announcements from CFW himself.

“We’re minting”

“We closed channels to avoid FUD”

“Click this link…”

It hit me immediately that CFW’s account had been hijacked. Before I could do anything else, I got the boot, along with the rest of our dev team, and some of our core team members. UnkFunk immediately started blowing up Potadough and CFW’s DMs across multiple platforms, trying to contact them, while I began assessing the situation. We immediately began changing passwords and emails associated with our web facing accounts, including our hosting, team google account, and socials. Whitelights and 0xDaemon went to town on looking into the contracts and minter the scammers dropped. Our family at Sideways DAO began alerting everybody in our circles about CFW’s account being compromised, and the PH server being unsafe. We told everybody we were hacked, and that they should not trust any links from us.

Within 2.5 hours CFW had regained control of his account, we had verified each others’ identities (VC is great, and so is sharing IRL experiences at NFT NYC to call on to prove identities), and had managed to boot the malicious actors out of the server, as well as resetting his password from a secure device with a fresh discord install. The damage was done though. Some folks had interacted with the contract, and our server was wrecked. We were now into mitigation, assessment, and full on discovery mode.

For the record, I am blown away by our team’s (core & mods) response time, how calm everybody was, and how well we handled it with our close community of friends and family in the space. I can’t shout all of you outside of the team out, but you know who you are, and we are ever thankful for you moving rapidly, and gracefully to warn other projects about what happened. Extra special thanks to Flashfox for moving very rapidly to keep other NFT projects informed of the situation.

Most importantly, a huge and massive shoutout to CFW for immediately addressing the problem, and getting ahead of things safely and smartly. It is clear as daylight to me that he has assembled the right team for this project, especially after this debacle.

So, you may ask, what the fuck actually happened to CFW’s account?

Problem Exists Between Keyboard and Chair

For 2 months now some ding dong we thought was approaching us in good faith has been asking about a collab/partnership. They posed as being part of a project called PhasesNFT. They presented in a very legitimate manner. CFW has been so busy, he hasn’t had the time to follow up on their discord invite, or other serious interactions with them. Finally, a day before his account got hijacked, they reached back out again.

He found their Discord invite was broken. He brought it up and they sent a link to connect him to it through his browser. A seemingly harmless Discord invite, to resolve “a common issue they had been experiencing with Discord invites recently.” Some of the questions they asked collected info about when he is available. They figured out when he would be online, and when he would be deep asleep.

Upon clicking the link, they grabbed his Discord token, and following is a breakdown of how that works, and how they used it to hijack his account, bypassing 2FA, and any other login requirements his account has. We are sad to hear this very same thing happened to the folks at Metamint. We are thankful for them sharing this tweet:

I urge you all to pay deep attention to these videos, as they break it down incredibly well, and display how token grabbing works. It’s an entirely redundant, and ancient method of phishing, applied in this instance to a Discord-centric vulnerability. Insanely simple.

I would like to note that once the “hackers” went to work, they proceeded to place a seemingly harmless webhook integration in as well, and it’s a good reminder to all to check what integrations they have enabled in general, at any given time. I will be sharing a much more technical breakdown of what our audit revealed at a later time.

We’re only human, right?

We are. And this means this could happen again. It’s been happening since Nigerian prince scams showed up in our emails 2 decades ago, and it’s continuing to happen in one form or another to people who are not new to this space.

In this case, I was depending on Wickbot to shut this kind of problem down, but since CFW was the top-level owner for the bot, that got negated in entirety. This time around, we have placed a dedicated account as server-owner, that only a limited number of us have access to. This account will only ever be open in an incognito window to perform administrative tasks, or make adjustments to Wick’s settings. And during those sessions, no other websites will be visited, and no other links will be clicked.

Additionally, we are getting even more strict about accounts that join the server but do not stay active, or manage to verify in a period of time.

As we find better solutions over time, we will adopt. We have already changed some settings on our server until further notice, and are taking some steps to get our project’s interests back on track. We think you should know about them as well.

1. Our Discord server is closed to the public at the time of this article’s writing. Only team members and mods can invite new folks. If you want to get back in after you left, or as a new holder that is seeking to stay informed, please connect with our main Twitter account, @Pillheads_NFT.
2. We are limiting access for many things to our NFT holders only. Your support has been phenomenal during this time, in addition to the past months that brought us here! Access to any collabs, giveaways, and other “alpha” on our server will be restricted to Stacy brand holders at this time.
3. While we will continue to expand our community, and seek new Pillheads to grow our family with, we will be narrowing our focus to our existing community, so that we can get to the next phases of our projects with less distractions. Stay tuned for our scheduled events, including our current Sweepathon!

Best Practices

You’ve seen it mentioned a thousand times by now, and now you’re going to see it again: How can we keep ourselves safe from this bullshit?

This list is not limited to safe practices to avoid the token grabbing attack explained above, and is intended for safe practices in general, inclusive of web3 practices.

• Turn on 2FA on Discord for your personal account(s) (and everywhere else tbh)
• Change your passwords often - in the case of Discord, it will reset your user token every time
• Do not click links that don’t look right (pillh34d5.fu is clearly not us FFS!)
• Do not interact with minters/contracts that you are uncertain of
• Disallow/turn off off DMs from server members
• Turn off DMs in general to achieve great zen
• Check your Discord Server’s Integrations - especially webhooks
• Double check your Twitter settings for connected apps; disconnect them if you don’t use them (why are you still connected to dingus-verse from a year ago?)
• Use revoke.cash or etherscan’s token approval checker, to review and revoke allowances with contracts you’re unsure about. If you have free minted a moriegoblincatdwarf.wtf lately, maybe revoke that likely-rug’s rights to your wallet, and in case you got there with a shady link in the first place, maybe reset your passwords.

I am confident things will get safer over time, and we will all get smarter, with experience. But in the meantime, we have to stay diligent when it comes to security online, and work together as a community to fight back against these malicious assholes who continue to take advantage of unsuspecting folks on the daily.

Thank you to our amazing community for checking in with us, and being supportive through this madness. At this time, I trust CFW more than anybody else, because he is fresh out of the nightmare of waking up to all of this. You know he will be the most diligent of us all moving forward. If we lived in the same region, we would all be giving him a massive hug for what he went through, and I urge you all to send him virtual hugs when you can as well.

We will be having further mitigation, and resolution discussions as we move forward, and look forward to continuing to connect with you all, as we move towards the next stages of this project. Please do not hesitate to ping me on Discord for technical breakdowns.

#IPWT

-Orb