Let's break down the method that has been used to compromise every NFT server recently
This is a MUST read for all projects... ๐งต๐
This is a MUST read for all projects... ๐งต๐
1/? Leaving social engineering aside for right now, let's first break down the method they use to steal your credentials.
The victim will be asked to bookmark something, then open Discord, then open the bookmark. The thing you're bookmarking and running is JavaScript code.
The victim will be asked to bookmark something, then open Discord, then open the bookmark. The thing you're bookmarking and running is JavaScript code.
2/? Let's break down the code. The code reads your Discord local storage, containing your Discord token. The scammers will grab your Discord token and send it to themselves through a webhook (A private channel created by the scammers, where they collect stolen credentials) 
3/? What is a Discord token? Your Discord token is basically an authorization code. Discord tokens let you log into any account without needing a password and fully bypasses 2FA. The only way to change your Discord token is to change your password.
4/? Let's dive into the social engineering methods used by scammers ๐
1. You will be approached by the scammer and offered a job. This is not the actual project, they are pretending to be them. After 'taking the job' they will offer you a whitelist as an incentive instantly.
1. You will be approached by the scammer and offered a job. This is not the actual project, they are pretending to be them. After 'taking the job' they will offer you a whitelist as an incentive instantly.
5/? Video below is an instruction video of what to do, created by scammers. They will send you a 'whitelist key' to enter. After you open the bookmark, your credentials will be stolen.
6/? Let's look into another social engineering method ๐
2. FUD: Scammers will approach you claiming that your server was added to a scam/rug list. All social media followers/members/engagement by this brand is fake and botted. None of the followers or members are real.
2. FUD: Scammers will approach you claiming that your server was added to a scam/rug list. All social media followers/members/engagement by this brand is fake and botted. None of the followers or members are real.
7/? After joining the server, you will be asked to verify yourself to gain access to the rest of the server. The website will ask you to bookmark a button to verify yourself. Here is the code on the website stealing your data including your Discord token.
8/? How do you prevent this?
Don't bookmark anything. If you did fall for this scam, reset your password to remove the scammer's access to your account, alert your team and reach out to have your server audited ASAP. We've had cases in the past where team members have felt too
Don't bookmark anything. If you did fall for this scam, reset your password to remove the scammer's access to your account, alert your team and reach out to have your server audited ASAP. We've had cases in the past where team members have felt too
9/? ashamed to admit that they were tricked into leaking their credentials. We are all humans, and these are sophisticated social engineering methods. Do not feel ashamed, otherwise your small mistake will turn into a hundred thousand dollar mistake.
10/? We will constantly be posting up to date information about all scams and social engineering methods on our page.
โข โข โข
Missing some Tweet in this thread? You can try to
force a refresh
ใ
