- Discord has come under attack after two Yuga Labs servers were breached over the weekend
- 200 ETH in NFTs was stolen from users after the community manager’s account was infiltrated
- A Yuga Labs co-founder blamed Discord but others hit back and said it was a permissions error
Discord has come in for criticism after the Yuga Labs server was breached and hackers managed to phish 200 ETH worth of NFTs. Some prominent members of the crypto community criticised the security of the platform for allowing hacks to be carried out so easily while others blamed the admins, pointing to simple security measures that they can follow in order to minimise such activity.
Yuga Labs Discord Servers Breached
Yuga Labs announced on Saturday evening that Discord servers belonging to the Bored Ape Yacht Club and the Otherside metaverse were breached, with 200 ETH in NFTS stolen. Blockchain analyst OKHotshot (@NFTherder) reported that the breach occurred when community manager Boris Vagner was targeted with a phishing attack, which allowed the hackers to post a giveaway:
🚨BAYC & OtherSide discords got compromised‼️
Seems because Community Manager @BorisVagner got his account breached, which let the scammers execute their phishing attack. Over 145E in was stolen
Proper permissions could prevent this pic.twitter.com/lCl2DfZQ0W
— OKHotshot (@NFTherder) June 4, 2022
It’s clear that Vagner’s position of trust encouraged many to buy into the scam, losing their NFTs in the process, although the ‘giveaway’ offer should have raised some suspicions, given the fact that the Bored Ape Instagram account was hacked just six weeks ago, with $2.5 million worth of NFTS stolen.
This hack is the latest of a number that have used Discord as the medium of attack, with OKHotshot pointing to 70 Discord attacks that took place in May alone. This led to Yuga Labs co-founder GordonGoner.eth (@GordonGoner) laying the blame at Discord’s door:
Discord isn’t working for web3 communities. We need a better platform that puts security first.
— GordonGoner.eth (@GordonGoner) June 4, 2022
However, this assessment was quickly rebuffed by many in the community who pointed to a lack of understanding of Discord’s permissions being the reason why Discord servers are continually being hacked:
How to never get your discord hacked:
– only allow a single bot to post announcements
– post announcement on-chain
– the bot reads messages from on-chain and reposts them in discord
Please send tip if you implement this idea and save your users from getting hacked.
— cory.eth (@cory_eth) June 4, 2022
Indeed, it does seem that Discord isn’t the culprit here – if that was the case then Instagram and Twitter must be held equally liable for the hacks that take place on their platform, which clearly points to a user issue rather than a platform-based one.
At the end of the day, whatever the platform, the fundamental rules are the same – big projects like Bored Ape Yacht Club don’t announce giveaways out of the blue, so you should be instantly suspicious if you see one and investigate before you click on anything.