May 19, 2022
On May 18th, 2022 at approximately 01:32 AM UTC the CyberConnect Discord server was compromised, along with a number of other popular Web3 servers including Axie Infinity, Moonbirds, and RTFKT. The hack occurred as a result of the popular Discord moderation bot called MEE6 being compromised. After taking control of the CyberConnect moderation bot, bad actors posted a phishing link encouraging community members to claim an airdrop.
Community members who clicked that link, approved the contract, and attempted to claim token airdrop, unknowingly gave the hackers control of their wallets leading to, in many cases, a loss of funds and NFTs. While our team was able to take back control of the server within 14 minutes, a number of community members had already been affected.
In this post, we detail how the attack transpired, our efforts to enhance security, and how we plan to help affected community members.
While our team continues to investigate the incident in its entirety, the common denominator amongst all of the hacks was the MEE6 moderation bot.
https://twitter.com/mee6bot/status/1526901242521432065?s=20&t=l9_887wPMxyepdE5zFc8qg
It has been determined that a MEE6 employee’s account was compromised, allowing a group of bad actors to target prominent Discord servers such as CyberConnect. They were able to achieve this by manipulating the MEE6 bot to create a server admin reaction role, which would then be used to grant admin access to the hacker’s account. After this, they set up a new bot that posted the phishing link and kicked all mods from the server.
We also have reason to believe that one of our server admins had their account previously compromised. This may have been a contributing factor to what happened in the CyberConnect server.
In this particular case, one of our server admins was approached by a bad actor disguised as a community member with a partnership offer and asked to join the team’s server to discuss further. Upon joining the server, the admin was presented with a fake verification bot. By interacting with the fake bot, the admin’s Discord token was stolen. This enabled the hackers to bypass the admin’s password and 2FA helping them gain control of the account. This is possible due to Discord’s unsafe practice of storing user tokens in the local storage.
Such cases of deception are growing at a rapid pace. You can read more about how social engineering is being used in a malicious manner here and how to protect yourself.
We strongly recommend you never click on any unknown links and avoid interacting with bots you can’t confirm are legitimate and working as intended.