Discord Post Mortem

Discord Post Mortem

We decided to conduct a post mortem on our recent Discord exploit which has now been resolved. We extend our deepest apologies for the disturbance and inconvenience this has inflicted on our amazing community.

The incident took place on Tuesday 27th of June 15:16 UTC for approximately two hours.

Our primary objective is to provide comprehensive information on this incident to our community members and develop a resolution plan which prioritizes those who have suffered financial losses, as well as implementing enhanced security measures for our Discord server moving forward. Additionally, our core objective is to educate and raise awareness on the subject matter.

Given the integral role that Discord plays as the hub of our community, we are deeply disheartened by these unfortunate circumstances. With the notable growth we have experienced recently, our platform has inadvertently attracted unwanted attention from malicious parties.

We recognize the importance of transparency, especially in situations such as this. Rest assured, we are committed to ensuring you are fully informed about the incident and our subsequent response actions. We believe our valued community members have the right to be informed of all details surrounding the incident and we are dedicated to maintaining this transparency throughout the resolution process.

How did it Happen?

A team member fell victim to a malicious phishing attack, which granted unauthorized access to our server. The attacker subsequently posted nefarious links in our announcements channel, leading to the unfortunate drainage to some of our members' wallets.

The attack was very sophisticated and targeted towards a team member who made the announcements which added trust and transparency to the malicious link that was shared. Our current roles only allowed Faisal (CEO) to have master access over other members and when the time of the hack took place he was flying to a crypto conference (Hamburg-Germany) with no internet access.

Our team will be engaging with local law enforcement agencies to report this exploitation. We are currently formulating a strategic plan to compensate our community members who were adversely affected by this incident.

The attacker was able to maintain unauthorized access for an extended period, due to our CEO’s unavailability online. The total duration of this unauthorized access to our server lasted approximately two hours. While resolved reasonably quickly, we’re committed to finding a new solution which avoids these types of events altogether.

This attack was not a consequence of a basic email breach or a lack of two-factor authentication (2FA). We are committed to providing a detailed account of how the incident transpired:

1. A Discord user posing as a team member from CoinTelegraph reached out to one of our core team members asking to write an article about Entangle.

2. A Discord channel link was shared to join and talk on the writing points for the article featuring Entangle.

3. When verifying to join the Discord channel, our team member had to drag and drop a link into his bookmarks which is how the attacker gained access to his Discord token.

4. This Discord token allows full access to his Discord account, without the need to sign in through an email and password or 2FA.

5. After gaining access to the team members account, the attacker then proceeded to post malicious links in the announcement channel in relation to claiming an airdrop.

6. The airdrop link was a phishing scam which allowed full access to users wallets when the token transaction was approved.

Our team member executed all necessary protocols to disconnect his account from the attacker by revoking access to the Discord token. Under normal circumstances, such an action would have immediately resolved the situation. However, the attacker had multiple accounts within the Discord server, to which they had granted unauthorised moderator access.

As a result, they were able to maintain unauthorized access for a duration significantly longer than would typically be feasible. Our security team was tasked with individually banning dozens of new members who had joined via the malicious links. These new members were illicitly assigned high-level roles, enabling them to gain administrative privileges within the server.

Our well experienced security team ensured the attackers didn’t last long inside our server.

We’ll update the community with a resolution to members who have lost funds in the following days. We appreciate the ongoing support and patience.