Hacking. Disinformation. Surveillance. CYBER is Motherboard’s podcast and reporting on the dark underbelly of the internet.
Earlier this month, Josh Fraser, the founder of the Ethereum-based platform Origin, was poking around Discord, the chat app for gamers that’s become the go-to platform for crypto projects all over the world. What he found startled him.
Fraser wanted to see if he could set up an automatic script that would alert him every time users posted certain keywords in his server. He saw several private channels that he couldn’t access, but he was still able to see a lot of information about them. Despite being supposedly private channels, he was able to see their names, their description, and the channel’s full list of members.
Because Discord is used by tons of high profile (and obscure) crypto projects, this information could be used to figure out that a certain project is about to launch a new token, or is about to be listed on Coinbase (imagine a private channel called “Coinbase”), which can have significant impact on the price of a coin. The names and user lists of private channels can even expose people who are responsible for executing financial transactions through multi-signature wallets, according to Fraser.
“That could very easily dox someone who didn’t intend to be doxed,” Fraser told Motherboard in a call.
“Those [Discord] bots are a huge liability when it comes to security.”
Fraser’s research exposes a broader truth about cryptocurrency and the new Wild West of finance. While traditional financial communications take place over protocols like the highly secure (and expensive) Bloomberg Terminal or SWIFT, which catapulted into the public consciousness when Russia was banned from it, the most important messaging service in the world of crypto is Discord, which is a powerful chat app but was not designed from the ground up with security in mind.
Discord chats are not encrypted, public chat histories can be available to anyone who joins a channel, impersonation scams are common, and the security issue Fraser found remains a problem. Attempts by Discord to design specific features for crypto projects have been met with wide backlash from its main user base of gamers, many of whom find crypto reprehensible.
In the financial world, several firms use Instant Bloomberg, an application integrated in built to work with the Bloomberg terminal that runs on Bloomberg infrastructure and whose members’ identities are verified by the company. And the terminal requires a user’s fingerprint for login. But the app is costly (reportedly around $24,000 a year for a single terminal subscription), and it’s really designed for people in finance, who have different needs and constraints compared to DeFi and crypto. In practice that means the app is fully surveilled so that it’s compliant with financial regulations.
There’s also Symphony, an Instant Bloomberg competitor. But it’s also specifically built for financial firms, especially with compliance with existing regulations in mind, which don’t apply to crypto.
A screenshot of the Symphony messenger. (Image: Symphony)
After discovering that private channels leaked potentially sensitive information, Fraser alerted Discord, but the company told him this is a known issue that cannot be fixed for now. So he wrote a thread on Twitter explaining what he had discovered in an attempt to warn the community. His thread quickly went viral, suggesting many people in crypto had no idea private channels leaked such sensitive information.
Discord was launched in 2015 and was created by Jason Citron (CEO) and Stanislav Vishnevskiy (CTO), two developers who had launched social apps for gaming before trying their hand at game development under the banner of Hammer & Chisel Inc. That resulted in a free-to-play game for tablets called Fates Forever that failed to become commercially successful and shut down shortly after. From there, Hammer & Chisel pivoted to developing Discord as a hub for gamers to talk and coordinate in-game tactics with a focus on user-friendliness, eventually becoming Discord Inc.
Eventually, the app—perhaps because of its UI and community features, ease of creating pseudonymous identities, and some cross-pollination between online communities—cemented itself as a hub for most crypto projects. Most NFT collections including Bored Ape Yacht Club call it their home and have thousands or tens of thousands of members in their servers, and DAOs (Decentralized Autonomous Organizations) have also proliferated.
It’s also become a hotbed for scammers targeting an industry that the app was never designed to support.
Crypto hacks can be executed devastatingly quickly (one wrong link is all it takes to irreversibly swipe someone’s holdings), and so hijacking a Discord server is an efficient way to target a large number of people at once. In the last few months alone, hackers have taken control of the official Discord servers of the uber-popular NFT collection Bored Ape Yacht Club, the NFT trading platform OpenSea, and several others.
In these cases, once a hacker had control over the servers, the scammers took control of the admin’s bots, which are trusted by the community. They then began posting fake announcements from these bots, tricking victims into giving up their cryptocurrency or NFTs.
“If that bot ever got compromised, the back end that controls the bot ever got compromised, that’d be fucking nasty,” the co-founder of blockchain security firm Zelli