Discord Recovered

THORWallet
3 min readAug 30, 2023

--

Dear Community,

I think by now you are aware that our discord server got compromised. This was a discord issue only and had no connection to the mobile wallet or webapp. I will shed some light on what happened:

Wednesday, I was asked to join a Discord server to discuss a news piece on streaming swaps. As I actually have a legitimate interview coming up, this was nothing out of the ordinary. I was asked to verify that I’m a human and not a bot on a third-party website. I proceeded but felt that this was odd. I went to my Discord account settings and, yes, I saw a new connection that should not be there. Discord has a disconnect & revoke function, I proceeded to do both. I never joined that Discord and blocked that individual.

Friday 2:59 am, I was called out of sleep by some contacts who have my phone number that suspicious behavior is going on in Discord. After a first overview, I realized I was locked out of my Discord account, although I have 2FA in place. I informed the community at 3:07am via Twitter and Telegram. The message was broadcasted by various friendly players. After further investigation I discovered that the removal & revoke function of Discord did not remove or revoke the authentication token. The “login token” was still active and an impersonator was able to post a malicious link to an impersonator website. The impersonator was able to remove all real admins and make himself an admin.

Since many immediately recognized that I was compromised, they reported my account, hence I was locked out (thank you). The procedure to restore was as followed:

1. Reset the password (via “forgot your password”) to revoke the login token

2. Kick out the impersonator admin with the Discord owner role

3. Establish normal operation

Unfortunately, for a reason unknown so far, Discord time banned me from resetting my password, making an immediate recovery impossible. Also the timeban did not disclose the timezone used.

Teams of friendly projects that had working hours supported me as they were not yet kicked out by the scammer. I opened three tickets via the Discord support website to unban the reset password function.

According to their Twitter and Facebook accounts, there is no other way than to wait for the ticket team to respond. Also, there is no paid express support function. By now, a further team member with access to the Thorwallet notification system woke up and sent an additional push notification through the wallet. A function we implemented roughly 2 weeks ago and unfortunately is not yet widely spread, as not all have updated their app.

After the timeban to reset the password has expired (approx 24h) the login status changed from banned to disabled. A disabled account can only be enabled again with the support team of Discord, which meant, we had to wait for a response and then continue with the procedure above. The Discord support team answered on Monday at 3:30pm.

We have taken countermeasures where possible (sleeping/cold owner), that increase the recovery speed of such an unfortunate event in the future. Also we want to highlight that this was a human interaction with discord and does not relate to the wallet or webapp.

Crypto and being non-custodial DeFi is harsh. It is about individual responsibility. How to protect?

  • Have 2FA on your accounts
  • Don’t answer any DMs ever (sometimes hard if you build a product, but easy as a user)
  • If you are a discord owner, separate owner as sleeping account (won’t prevent, but makes recovery faster)
  • Cross check the domain where you go to (is it the official domain?)
  • Check the info on multiple sources (TG, Twitter, Discord, official Website)
  • Don’t connect your account to unknown apps / understand what you sign
  • If something is to good to be true, it’s a scam
  • In case of an emergency you are on your own, response time of discord is min. 72h

I’d like to highlight that we take such events very seriously. We understand that transparency is crucial in maintaining trust. Our commitment to learning from these situations and adapting to emerging threats is unwavering.

After another long day,

Marcel

--

--

THORWallet
THORWallet

Written by THORWallet

Swap. Save. Borrow. Spend. // Non-custodial // DeFi

No responses yet