The following post-mortem report is intended to provide a comprehensive and transparent analysis of the security incident that impacted the ssv.network Discord server on August 31, 2023. The report is structured to offer insights into what happened, how it occurred, the timeline of the response, and the next steps being considered to enhance security measures. The aim is to maintain full disclosure so that community members can gain an understanding of the event and the actions planned to prevent future incidents.
<aside> 💡 As a reminder, the ssv.network DAO have always emphasized the importance of vigilance when interacting on our Discord server. In our "Start-Here" channel, we have previously issued a warning:
</aside>
"Please always double check with whom you are communicating. SSV Network will never message you about rewards, airdrops, or any transfers. Please do not share any valuable information over the channels either, such as Seed Phases." This incident serves as a poignant example of why such precautions are crucial.
You can find this and other important information in the start-here channel.
On August 31, 2023, at ~2 AM, the ssv.network Discord server experienced a security breach by a Bookmarklet type of attack. A privileged Discord account was compromised and used to execute a few malicious actions: Key roles were deleted, multiple channels and bots were affected, and various users were banned. Additionally, a fraudulent duplicate website was discovered, designed to scam users into draining their wallets.
More in-detail:
As soon as the hackers gained access to the server, they quickly kicked out all privileged account members and active community members, preventing the ability to counteract the breach. Discord's customer support was promptly contacted and a warning on Twitter for the community. After control was regained over Discord, the hackers were removed, and the harmful posts and links.
Attackers made contact with a privileged Discord account via Discord, masquerading as a well-known journalist from a major media outlet. They've requested an interview and provided a set of preparatory consent forms to be completed. These forms instructed the addition of a button and a browser bookmark and then requested to log into Discord to confirm the identity. By following these instructions and dragging the bookmark into Discord via the web browser, the attackers were able to illicitly access the JWT Auth Token from the browser's local storage. This enabled them to circumvent the usual security measures, such as username, password, and two-factor authentication. The technique utilized in this breach is termed a bookmarklet attack. More details about this type of attack can be found through additional resources. The evidence suggests that the orchestrators of this sophisticated operation were Pink Drainer, a hacking group notorious for conducting similar bookmarklet attacks on leading Web3 organizations.
Fortunately, the infiltration was limited to Discord, and no other data or resources were compromised. Read more about Bookmarklet Attack: https://breakdev.org/hacked-discord-bookmarklet-attacks
Read more about Pink Drainer: https://drops.scamsniffer.io/post/pink-drainer-steals-3m-from-multiple-hack-events-including-openai-cto-orbiter-finance
Immediate actions included contacting and re-inviting banned users, manually restoring user-level permissions to specific channels for internal teams, and conducting an internal security audit. Future actions include: