Secure the Discord
Discord is the hub for many web3 communities and is increasingly a target for scammers and spammers. For example, Mekaverse was compromised just before their NFT reveal — a high activity time that is popular for attackers. Larger projects, whose members may present lucrative targets, are constantly being targeted: BAYC and Doodles were both recently affected by a compromise with a popular CAPTCHA bot, and Aurory Project’s server was hit just a few days prior to time of publication.
This post sources best practices from existing Discord communities for securing your server and protecting your members.
Secure the admins
Administrator accounts have the highest stakes for compromise, since by definition they have the most power to wreak havoc and so are the most important accounts to keep secure.
There are a few ways to do this:
Setting up multi-factor authentication. Setting up multi-factor auth is a no-brainer for any accounts that have sensitive privileges. Make sure to use a dedicated MFA device or app such as Google Authenticator or Authy and avoid SMS / text messages if at all possible. SMS is vulnerable to SIM swap attacks and is more easily bypassed when used for MFA.
Using a fresh email for admins. Where possible, administrator accounts should use an email address that is not shared with other common services. This makes it harder for attackers to compromise the account by finding and compromising a known email address.
Using separate account for dangerous permissions. Set up a new account that is ONLY used for risky and uncommon actions like installing a new bot or webhook. Then make sure that account is the only one with permission to do those actions. Multi-factor auth is not bulletproof, so this limits the potential damage if a team member's day-to-day account is compromised. It's a bit of extra work, but worth it for admins.
The exact list of permissions to keep separate depends on the needs of the specific server. It's generally a good idea for server owners to be familiar with Discord's permission setup and decide what they need to access regularly and what can be separated. Pay attention to any permissions that start with "Manage ..." as those tend to be broad and most open to abuse.
Secure the bots
Ensure that bots are added sparingly and only as needed. Once again, it helps to have a grasp of how Discord permissions work. Cross-check the permissions a bot is requesting with your understanding of what it needs to do.
For example: an NFT sales bot should not be asking for the permission to manage roles, and a bot asking for permission to manage webhooks is almost always a red flag.
Secure the moderators
When it comes to mod permissions, the principle of least privilege is still key -- mods should only have enough access to do their jobs and no more. For most mod teams, this includes:
kick members
ban members
manage messages
moderate members
mute members
... in addition to normal browsing + posting permissions. Limiting permissions will help limit the blast radius if a mod goes rogue or if a mod account gets compromised.
It is also important to turn on the MFA requirement for moderation actions in Server Settings
→ Moderation
→ Enable 2FA Requirement
.
Beyond the permissions and server setup, the best way to mitigate compromise is educating the mod team. Mods in particular should be aware of the various shapes of scam, spam, and attack that they may be targeted with.
@Jon_HQ has an excellent quiz that walks through common scenarios with an accompanying explainer for each.
Common attack vectors include, but are not limited to:
DM pretending to be another mod on the same server who has lost their credentials and needs to be let back in
DM pretending to be a mod from another server who “needs help”
DM pretending to be a bot requiring verification for a server
Link to a fake NFT marketplace or fake collection on real NFT marketplace
Anything that requires dragging a link into a bookmark (which runs code to steal your discord auth token and bypass MFA)
Anything that involves opening up your browser dev tools
This is just a short list. In reality, the number of scams is only limited by the creativity of scammers, and mods need to be on the alert for anything that seems sketchy or too good to be true.
Secure the members
Everybody has a role to play in security, including server members!
Make sure new members can spot a scam and know that they should probably just turn off their DMs in general. Some ways to protect your members:
How-To Channels. Include education as part of the onboarding process. Create specific channels that tell members how to do specific things, such as “how to avoid scams” or “how not to get scammed.” This shows your care for members and helps lift the boat for newcomers in the space too.
Reminder of Rules for Staying Safe. Remind them of these rules:
Never type your seed phrase — wallets or support will never ask for your seed phrase.
Use a hardware wallet.
Check the URL, make sure it isn’t a malicious-looking website.
Watch what you sign.
No seriously: unless you’re setting up a brand new wallet, you should not be typing in your seed phrase. Nobody legitimate will ever ask for your seed phrase.
More info in this thread here.
2/ Rules for keeping your crypto and NFTs secure: • NEVER TYPE YOUR SEED PHASE • USE A HARDWARE WALLET • CHECK THE URL • WATCH WHAT YOU SIGN In all observed "hacks", there is moment where a seed phrase was entered into a computer or a malicious transaction had been signed.For bonus points, set up a moderation bot like MEE6 to regularly post reminders about these best practices.
Official Information Channels. Publish your announcements and list of official links in dedicated channel that are editable only by team members and update as needed.
Report-A-Scam. Create a channel dedicate to community members reporting scam or spam activity about your project so you can immediately take action.
Announce Scams. Once you’re aware of a scam that could or has already harmed members, take action and let your members know not to engage.
Lastly, Zeneca's newsletter has a great guide that covers MFA, turning off DMs, and otherwise keeping your sanity in all the chaos of Discord.
There are many elements to operational security and running a Discord server. The above should provide a good head start in preventing and mitigating compromises, but it bears repeating that account security will always be subject to social engineering and teams should be on the lookout for new types of attacks.
Happy buidling and remember: 99.9942069% of unsolicited DMs are scams.