Dynamo Coin Discord Security Incident

Background

On Saturday June 11, 2022, Discord credentials for the owner of the Dynamo Discord server were compromised which resulted in the Dynamo Coin Foundation’s loss of control of the server. Community members quickly worked together throughout the day to restore the community in a new Discord server. As of the writing of this article there were no known direct financial losses associated with the security event.

Timeline

At approximately 3:30pm eastern on Friday June 10, 2022 a social engineering attack was initiated against the owner of the Discord server. The attack originated from a trusted individual whose account had been compromised. Using that individual’s DMs the attacker was able to create a detailed narrative including using a shared Google Drive link which was password protected that the target had used with the individual previously.

At approximately 4:30pm eastern the malware payload was transmitted to the target however it was not immediately executed.

At approximately 3:30am eastern on June 11, 2022 the malware was executed on the target machine and the target’s Discord credentials were compromised, however it was not readily apparent. Although the target’s Discord had 2FA enabled this was circumvented by the malware which is a known exploit on the Discord client. The target’s machine was powered down shortly after. No credentials related to Dynamo Coin were entered into the computer at any time after the compromise.

At approximately 9:15am eastern the target was contacted by several individuals indicating that they had been targets of hacking from the target’s Discord account.

Actions we took

As soon as the compromise was discovered the Dynamo Foundation team began coordinating with the community to mitigate damage to the project.

Although the Discord credentials that were compromised were not shared with other accounts, the Dynamo Coin Foundation took several precautionary steps:

> All AWS console passwords were changed. 2FA has always been enabled.

> All AWS Windows instances administrative passwords were changed.

> All Ubuntu port 22 access was revoked if open

> All Metamask/BSC wallet keys were rotated

> A review of all relevant DMs with the target’s account was performed and messages were deleted

> The NFT and Discord wallet bot servers were shut down

> Security breach reports were filed with Discord and associated bot developers

> All references to the old discord links were changed on all socials

> Social announcements were promptly posted informing the community of the hack and directing people to the new Discord community

> The owning account of the new Discord server is a “break glass” account which will not be used for any purpose and all communication with that account will be ignored

>The target’s infected computer was destroyed including motherboard, all GPUs, m.2, keyboard and mouse.

What we will do going forward

Lack of support from Discord is a significant security issue. The inability to get real time support for a security breach is an unacceptable risk. Accordingly we will cease any reliance on Discord for any internal technical communications, especially DMs. The use of a break glass account as the server owner should mitigate the risk of losing control of the server again, however that is no guarantee.

We will institute a policy that no executable can be installed from any location other than the public Dynamo github repo.

Dynamo coin technology assets will be airgapped from personal computers for Dynamo developers.

Dynamo coin will investigate and implement a chain based chat mechanism which will use private key encryption and full nodes as relays in order to eliminate reliance on Discord, particularly for important community messages.

Conclusion

The Dynamo Coin Foundation takes full responsibility for this security breach and will reimburse any entity which suffers financial loss as a result of it. Security incidents are a fact of life, however it is important to learn and evolve when they do happen. In May 2022 there were 70 reported Discord server takeovers of NFT projects alone, including notable companies like OpenSea and Bored Ape where users experienced significant financial losses. Discord is clearly a large and vulnerable attack surface.

Discord is a prerequisite for any modern crypto project. Community members expect that projects will have either a Discord or Telegram group where they can get updates and contribute to the conversation. In this context, it is a necessary evil with significant security risks that need to be actively mitigated. The Dynamo Coin Foundation will continue to support a Discord group, however we will reduce our reliance on it by creating alternate, parallel technologies that enhance the security of the community and remain true to the decentralized nature of the project.

Dynamo Coin is backed by a group of technology professionals who are committed to the continued success of the project. The robust community includes many vested entities who are here for the long term. Although this incident was disruptive, the blockchain technology remains entirely decentralized and was not impacted in any way which is one of the core promises that Dynamo, and blockchain generally, strives to deliver on.