On Saturday, October 7th at 12:39 a.m., a bad actor gained access to an active User session for Discord account $decimalist belonging to Nate Minton, a Project Manager working with Indigo Labs. Nate fell prey to a bad actor reaching out to him early last week, portraying themselves as someone Nate met recently IRL. The bad actor asked him to join a Discord server to continue talking to the “team” of that server, “The Daily Hodl”. Not noticing anything out of the ordinary, Nate joined the Discord server and through the verification steps, his account was compromised by a Discord verification bookmark exploit which allowed a bad actor to gain access to a user’s session without requiring login credentials or 2FA. Krebson Security has done a great job of breaking down in the post below exactly how this attack works and how frequently it takes place: https://krebsonsecurity.com/2023/05/discord-admins-hacked-by-malicious-bookmarks/
Once the Discord account was compromised, the bad actor(s) waited until 12:39 a.m. EST when Nate was unlikely to be at his PC to target the Indigo Protocol Discord. They started by granting themselves any roles they would find useful in their attack and by removing the roles of some of the Indigo Labs team. Next, they began banning some of the mods, and other members of higher-role groups like the PWG, or TWG. They then managed permissions of the announcements channel and prepared to put out a false airdrop announcement that linked to a wallet drainer for Ethereum ecosystem wallets. Finally, the bad actor(s) set up the server’s AutoMod to timeout any server member that was attempting to alert others of the fake announcement. They did this by setting new AutoMod rules to timeout anyone that used the words ‘scam’, ‘hack’, ‘fake’, etc.
By 7:32 a.m., a member of the Labs Team with access to the Indigo Protocol Server Admin “cold” account was able to block any further actions from the $decimalist account and ban it until the session was resecured. A cold account is a single account that is given full authority over the server; this was set up as a precaution many months ago and helped ensure that the effects of this attack were almost entirely erased within 24 hours.
After securing the server, the Indigo Labs team created a list of all banned and/or timed-out members and began to remove the ban, reinvite them, and remove timeouts over the rest of the morning. About 70 members of the server were removed, and most have already rejoined the server and gained back their roles. Moving forward, the Labs are limiting the permissions of banning and managing permissions to only the secured cold account; the cold account automatically logs out of a session after only 10–15 minutes and closes out the session. The removal of these 2 permissions; banning and changing permissions, from all moderators and limiting those to only the cold account will prevent a bad actor like this from being able to make any progress if a similar attack is attempted in the future.
As we reflect on this incident, we have to acknowledge the unavoidable vulnerabilities of our interconnected ecosystem’s use of Discord, and that our safeguards were key to protecting the server and making it more resilient moving forward. Having a cold account allowed the Labs team to swiftly counteract the bad actor’s moves, minimizing their impact.
While the Indigo Protocol remained untouched, the event does emphasize the importance of protective planning, consistent vigilance, education, and regular security reviews. In our journey ahead, we’re committed to refining our practices, enhancing our protective measures, and ensuring that our community always remains in safe hands.
We thank the Indigo Community and many of our friends in the ecosystem for their vigilance in not falling for the attack, and for alerting others on X as well as other Discord servers. Thank you for standing with us. Together, we continue to build a secure, resilient, and forward-thinking digital ecosystem.
Website | Protocol | Discord | Twitter | Telegram | Indigo Paper
