Common Threats and How to Stay Safe in NFT Discord Servers
You will get attacked.
Yes, you. If you have any perms in an NFT Discord, you have a $100,000 bounty on your head, and you don’t even know it.
If you care, and want your community to be protected, read every step in this guide.
I had a different introduction for this post, but my pal @jon_hq came up with the simply amazing little blurb above and I couldn’t resist adding it. Thanks, Jon! 😁
Below, you will find some common threats that are VERY routinely found in Discord, targeting the NFT space and the degens within. They’re relentless, they’re sneaky, they’re always going to come up with new and better ways to scam you out of your money — and the minute that you become complacent and think you’re safe is when you’ll be most likely to become their next victim. There are a LOT of things in here aimed at mods, but the majority of it applies to *anyone* that uses Discord for their NFT socializing. And, while it is meant primarily for Discord, a fair number of these things could equally apply to Twitter, so bear that in mind while reading.
(As I was putting the finishing touches on this article, I watched a server hack unfold on Twitter over the space of several hours. At the time of this writing the scammers had already walked away with 63Eth (so far). If that doesn’t convince you to read this, I’m not sure what else can! Be careful folks, it’s dangerous out there.)
A. Social Engineering
Social Engineering is the term used for a wide range of malicious attacks, accomplished through human interaction. A user can be psychologically manipulated into making security mistakes or giving away sensitive information, which usually results in wallets being drained, Eth being sent or fake NFTs being minted. This is the most common type of scam that takes place within a Discord server. Hundreds of links are sent in DMs throughout the day by members shilling what they claim are new projects. These also take the form of stealth mints that happen at the drop of a hat, or simply asking others to authorize a wallet signature to gain entry to a WL raffle.
Discords also are increasingly becoming compromised by sophisticated Social Engineering attacks, usually by Mods or Admins unknowingly clicking links that compromise their accounts. The most recent type of this scam (also called a phishing attack) comprises sending the target mod/admin a request for them to come work for the supposed project, and an invitation to the Discord server they’re being asked to help.
Also be on the lookout for fake verification bots! A legit verification bot (most common are Server Captcha Bot and Wick) will have a blue [✓BOT] icon after its name — an UNverified bot will not have the checkmark. If you click on a link from an unverified bot (Captcha, Collab, etc), BE SURE to read the link popup you’re given by Discord.
To insure you’re talking to the real bot, IE the same ones you see in every server — you can leave a personal note on the bot’s profile. Right click or press/hold on the bot’s name and bring up the profile card. Do this in a server you are already familiar with and know is safe! At the bottom of the profile is a ‘note’ section (this works with friends/mods too, so you’ll always know it’s the real one!). You can leave whatever message you want to, the person you’re leaving it on can’t ever see it. If you do this on all the ‘real’ server bots, they’ll show the same message in every server, in a DM, etc. If you put a note on all the mods in a server, it will be the same in DMs too! So if you ever get a message from a mod and you know you put a note on them…and it’s not there? It’s *probably* a fake!
Commonly found Discord server-based attacks
1. Member in a community sends you a DM link to a “free mint” site. Pretty sure you can get that link from somewhere legit, if it’s even real…
2. Member in a community sends you a link to “sign up for WL” or raffle. Totally believable!
3. DM from an unknown member asking you to follow a link, claim a prize, hurry to a secret mint or server or alpha group. Just out of the goodness of their heart, right?
4. DM from an unknown member, from an unknown project — “Hey, you’re quite well known in the space, would you like a paid Mod job? Join this Discord!” This is becoming FAR more common and usually results in a Discord being compromised, often without the mod even knowing it has happened until it’s already too late. The money is definitely too good to be true! If you get a message like this, go search on Twitter for their project name — you’ll likely find a whole bunch of posts from people saying “this guy from NFTCentral/DecipherNFT/etc just tried to scam me!”
5. Within a compromised Discord, a fake announcement is posted (sometimes via a bot) to notify members that suddenly a stealth mint is live or a new collection has dropped, immediately sending hundreds of users to a scam mint site. Eth/NFTs stolen, wallets compromised, channels deleted, users kicked/banned for trying to spread the warning. BE SURE to read the previous announcements when you join, and pay attention to the ones that say “we will never post a secret mint!”. Please believe the mods when they repeat this, and if you ever DO see a ‘secret mint!!’ pop up in an announcement channel… don’t click the link. (This was the case in the hacked server at the beginning of the article, actually).
6. Were you banned from a server for something you know you didn’t do?? If you get banned and then a mod messages you shortly after (maybe immediately, maybe a couple days) and says “You were scamming people in DMs! I banned you. We’ll let you back in, but first you have to prove you didn’t do it. We need you to screenshare with us…” Do NOT fall for this. It doesn’t matter if you’re REALLY sure it’s a mod from the server you were banned from — no mod from any server you want to be in will DM you and ask you to screenshare.
Not only is this 100% a scam to try and steal your Discord login token (and thus your entire account), the vast majority of server mods have *no clue* how to use the Discord console to check your sent message logs or find anything else that could conceivably clear your name. This also goes for the web version of Discord, do NOT ‘inspect element’ on Chrome/Firefox etc at the request of some server mod who assures you they mean well. There is no reason, NONE, ZERO!!! Literally no reason that you should EVER screenshare with someone telling you to do it for something like this, no matter how bad you want to be in that server. Ask a friend for help, a mod in another server you trust, whatever — but do NOT give in to their demands.
7. NEVER TRADE NFTs in DMs!! Don’t believe someone who is bringing a “mod” to help/watch/do escrow — it isn’t worth the risk! Use nfttrader.io if you’re trading off marketplace. This site DOES NOT USE LINKS. Do NOT accept a link from someone that looks like it goes to nfttrader.io! All you do is go to the website yourself and log in, and the other party will be able to do the same and link up with you from their end. Do NOT click nfttrader links from a DM! Again — if you’re not sure, if you’re trading something expensive… get someone who knows to help you make sure it’s legit.
Phishing is the biggest threat to cyber security today. No matter how careful you are, some phishing attacks are so sophisticated that they can trick even the most trained eye. Phishing usually comes in the form of an e-mail that looks like a legitimate e-mail from the company they are impersonating. They present a link to the end-user, which when opened looks like a carbon copy of the site being cloned. The only difference is the site you’re now on is logging your every move and can steal passwords or sensitive information or even make you sign away all your assets without you realizing.
An example of this is the recent OpenSea phishing scam. OpenSea recently announced they were migrating their contracts to a new standard. A Phishing scam was created by an intrepid scammer about 30 days prior to the migration, and users were sent an email asking them to “Click here to migrate contracts”. Without hesitation, over 30 people followed the scam e-mail and went to the cloned version of OpenSea, signed messages to “migrate contracts” not realizing they were signing a custom-made contract which essentially gave the hacker access to their entire wallet when activated a couple of days before the actual migration. Hundreds of Eth worth of NFTs were stolen, mass chaos ensued, the entirety of Discord and crypto Twitter was sent into a blind panic.
C. Free Nitro Codes
We all love a freebie, but a malicious attacker might send you a friendly message or link offering you a free nitro-code. If someone you don’t know is offering you something for free in exchange for nothing, it’s likely a trap. Also, make sure if you get one of those links from a friend that it’s genuine, and not that they’ve had their account compromised. Does the link *really* point to Discord? Or does it point to “discrod” or “dicsord”…
Discord does sometimes offer free codes, but these will always and ONLY be through official channels. Regardless — is clicking on that link in your DM for free Nitro (which costs maybe $10?) worth everything in your wallet? Probably not.
D. Compromised Minting D-Apps.
When a project mints out, their minting d-app is sometimes left online, and the security becomes outdated and vulnerable. This gives hackers the opportunity to inject malicious code through back-door channels giving them access to wallets that fail to disconnect after minting, as the approval token generated to mint can still be open and valid. This gives hackers the ability to drain wallets of Eth. ALWAYS disconnect your wallet after minting.
Use https://etherscan.io/tokenapprovalchecker to revoke any unrequired approval tokens. Check once a week or after a mint to ensure that anything you don’t need has been revoked. Polygonscan similarly has this function. Another very useful site is revoke.cash (Eth only). Also Debank.com, while slightly more complex, is a very good site to keep bookmarked — this link explains how to use their token approvals checker: https://wiki.rugdoc.io/docs/how-to-revoke-permissions/#1-toc-title
How to stay safe: A quick list of tips to remember!
1. Use STRONG passwords. Minimum 12 characters, include special characters and numbers. Change regularly. If you DO fall for one of the scams listed here — immediately change your Discord password, it’s the ONLY way to break a stolen login token!
2. Enable 2FA in Discord, e-mail accounts, anywhere you can. Get an authentication app (Google or Authy). Write down their backup phrases on PAPER and store them somewhere safe, do NOT keep screenshots on your phone/computer.
3. ALWAYS disconnect your MM from a site after connecting to mint. DO NOT FORGET! Periodically check your wallet to make sure you didn’t leave any still connected.
4. Never click unknown links from suspicious sources. Pay attention to the URL. Make sure it’s “opensea.io” and not “opensea.com”, etc.
5. Never authorize or sign wallet messages without being 100% sure you know what you’re signing.
6. If something looks too good to be true, it’s probably a scam. If you aren’t sure — ask some other degens for help!
7. Be wary of tempting offers, even from friends — confirm it’s really them and not a hacked account.
8. Keep high-value assets in a cold wallet and keep it OFF the internet. Write down your seed phrase on paper (or etch in metal!) and store it somewhere safe and secure — DO NOT keep a screenshot on your computer or phone!
9. Change your Eth wallet often, use burners if you’re unsure of the security of a site.
10. Never join suspicious Discord servers and confirm the invite you’re clicking is legit. Look to see if they have a healthy Twitter account, if you have mutual friends in the server, and that the verification bot is one with a checkmark. [✓BOT]
11. Always validate the source of an email is legit. If you don’t know how to inspect email headers — Google it to learn how!
12. Rather than clicking links from within an e-mail, open your browser and go to the project’s official website.
13. Use token approval checkers to make sure there’s nothing weird connected to your account that you don’t remember signing.
14. This shouldn’t ever need to be said, but here we are — NEVER. EVER. ENTER. YOUR. SEED. PHRASE. INTO. MM. WHILE. BROWSING. If you are importing a wallet for the first time, SURE! But if you’re just out and about on the internet, browsing, looking at a new mint, and you get a popup from MM saying ‘oh gosh, we’ve lost your seed phrase, kindly reenter it for us!’ NOPE, GO BACK. You can *always* go to a safe site (does NOT have to be a web3 site!), even just a blank page, and check that your MM account is how it should be. If YOU are not initiating a new wallet import — don’t even THINK about putting that seed phrase in.
THE END! Hopefully.
(Note — I snatched a large part of this from an alpha Discord server and unfortunately don’t recall which one at this point. I’ve changed quite a few things and added some others, but all in all found it to be a really great guide and wanted to share it for mass consumption!)
Please feel free to get in touch with me if you see something here that doesn’t quite look right or make sense, and I’d be happy to explain it or update it! You can find me on Twitter here: @plumferno
Another really awesome person to follow for security info is @jon_hq on Twitter. He wrote the amazingly accurate doom & gloom intro to this article. Here’s one of his recent security-based Tweets: