It almost seems like every week there is a new NFT project falling prey to cyber criminals and NFT "griftors" . So called blue chip projects like the legendary Bored Ape Yacht Club, have found themselves victim to multiple Million (capitol M) dollar thefts that all stem from one primary attack vector- DISCORD.
Discord - a collaboration technology software that has been the mainstay attraction for just about every NFT project in existence, has found itself between the cross-hairs of every cyber criminal seeking make a financial come-up. It should be mentioned that the purses that are being snagged in the NFT/Web3 space are much larger than the hacks of yesteryear. Multi-Million dollar cash grabs are being snagged almost weekly in a market full of the $$$$ but completely dry of any real information security hygiene and leadership.
Various media outlets like Vice News and The Verge have taken stabs articulating their understanding of the core problem of these attacks but are missing the mark on delivering its readers with something that they can digest to encourage a paradigm shift in the readers understanding of the real problem.
This is no slap to any of the very talented reporters doing the best work they can at interviewing various "experts" about the crisis at hand, but when it comes to cyber exploitation there is always a facet of the exploit that goes untouched- The Root Cause Analysis. The reason for this omission is due to the lack of interest most readers have in dissecting the core of these problem, remember the story is in the pain not the pain relief.
That isnt to say there aren't some new age web3 sleuths out there fighting the good fight, investigating the exploitation path and tracing the stolen money and NFTs to the best of their abilities, I must say there are 3 Twitter accounts that deserve a Fedora hat tip for the astounding work they put into keeping the community (NFT Twitter) informed of the latest block chain follow the money blockchain forensics they do daily.
Accounts like OkHotShot, Zachxbt, and CIA-Officer ( no affiliation) are our favorite and followed Web3 Scam Investigators who do the best work at block-chain intelligence and scam triage. Without the people behind these accounts we can definitively say there would be MANY more victims to these NFT/ Discord breaches taking place.
But even with these rockstars there is a problem that needs addressing, root-cause analysis; the 5w (Who What When Why Where) is always valuable intelligence but when it comes to the seemingly coordinated exploitation of Discord servers that result in multi-million dollar losses (both material loss, and brand value depreciation) there is room for more focus on what is going on.
Most of us here at Black Alchemy Solutions Group, come from a 20 year career with US Intelligence agencies tracking, hunting or protecting the US from cyber terrorist. We also have an equal amount of experience managing large scale information security programs in both public and private sector settings. The culmination of these experiences help us to understand the importance of identifying the "What is Wrong" in the most direct method possible.
In this case, with Discord & NFTs we are now looking at a Red Ocean. A situation whereby the criminal equivalent of the bat signal has been turned on and beaconing to all those capable to exact their cyber exploitation skills on the unsuspecting and under prepared (from a digital security and infosec hygiene perspective) NFT project members, collectors and admirers.
While we can discuss the many reasons why Discord should NOT be used by any project without a proper Acceptable Use, and strict to the draconian extent security controls like
🎯 Ensuring the Discord environment for each project has a security baseline and technical implementation standard
🎯 Ensuring each member with elevated privileges within the Discord environment has proper information security training and leverages a strict information security discipline (MFA)
🎯 Establishing a 3rd Party Code Approved Product List, that ensures that all 3rd party add-ons (like the infamous Ticket Tool that has little to no code validation information available) are approved "whitelisted" before implementation
The real issue resides in the lack of the Information Security leadership, awareness and acumen within the projects to steer them away from the open sea of risks that are at play.
Here is a video our CEO made on his impression of the situation.
Well that is all for tonight. Rest Peacefully and Stay Centered. At the end of the day you are more important than the reality that is taking place around you.
Jasun Tate Namaste!
Remember, your peace, abundance and success are all only thoughts away. Keep your mind infused with the delights of life and your focus on being the version of yourself possible. Everything else will fall in line when you do.
.svg)
