3 days ago, Jenkins the Valet’s Discord server fell victim to scammers. Hackers managed to do this by mimicking the admins of the Jenkins the Valet Discord server. The main hacker turned out to be Andrew Alsid – an individual with a background in cybersecurity.
Alsid and his co-conspirators stole over 16 ETH by posting a fraudulent wallet link as the new wallet address for minting NFTs. In addition to all of this, they managed to compromise one of Jenkins the Valet’s high-ranking mods, locked all text channels and banned the admins from accessing the server.
In a blog post posted on Medium, the Jenkins the Valet founders admitted that there was a lot that they could’ve done to prevent this scam. Therefore, they outlined a couple of points that other NFT project founders can do to prevent such a devastating security attack.
Jenkins the Valet’s list of mistakes
The Jenkins the Valet founders listed the mistakes that led to this scam. Here’s an overview of what they wrote.
Mistake 1 – Server Ownership and Mod Permissions
The founders revealed that they didn’t have the person who built the server transfer server ownership to us. Eventually, this proved to be a grave error. Being a server owner means that you can never get banned by hackers; therefore, if they were server owners, they would have resolved the issue in a matter of seconds.
Secondly, the server’s main moderator was tricked into sharing critical information on Discord. By tricking the mod into sharing their screen, the hackers – Dots#4460 and Tactic#0005 – managed to copy some information to the HAR (HTTP Archive).
Mistake 2 – Limited Time Zone Coverage
In this case, the hackers spied on the moderators to see when they’re awake and when they’re asleep. By doing this, they knew when they could launch their attack. They waited until the middle of the night EST to execute their operation. By the time everyone from the team woke up, they had been going on for nearly 4 hours.
How did the hackers manage to scam the members?
Once the hackers took control of the server, they created a “Jenkins the Valet” username in Discord and granted this username an official role.
The fake admin was used to make a phony announcement about a stealth drop. What’s more – they created a website that mirrored the official website and hosted a Discord Stage to talk about the drop. Members who saw right through the scam were banned. Sadly, the members that fell for this stealth drop transferred ETH from their own wallet to the scammer’s wallet.
Their post-hack strategy and tips for other project founders
As soon as they recovered from the hack, the Jenkins the Valet team immediately started working on a strategy – which is also pretty useful for up-and-coming NFT project owners.
- They re-started the server from the ground up. The team scoured the members and identified and banned any bad actors. They will also start doing frequent audits of permissions as well as monitoring the audit log for any suspicious activity.
- The project founders finally transferred server ownership to themselves. They also installed additional security bots to safeguard the server. Furthermore, they will be purchasing a single-use device whose only purpose is to have a Discord account that remains offline but holds server ownership.
- They’ll also be opting for 24/7 moderation. These new moderators will have a direct line to the founders in case of emergency.
- They’ll never opt for a surprise drop.
- Last but not least, they’ll be refunding all wallets that fell victim to the scam.
By publishing the mistakes and the strategy publicly, Jenkins the Valet’s founders are helping dozens of NFT project owners and preventing tonnes of similar scams. This is especially important as, in the last couple of weeks, Boss Beauties, Fractal and Phantom Galaxies all became victims of nasty Discord attacks.