CityDAO, a group that bought 40 acres of land in Wyoming to build a blockchain-based city, has gotten hacked this week. The groups Discord server was compromised and members’ funds were stolen.
CityDAO Got Hacked
CityDAO is a decentralized autonomous organization (DAO). These blockchain-based groups let people pool resources together towards a common goal with smart contracts. Instead of being tied to a physical location, such as a traditional company, DAO members can be located around the world. Members vote on various aspects of the DAO through blockchain tokens.
In July 2021, Wyoming passed a law that legally recognizes DAOs but they must restorer as companies within the state. CityDAO did this and purchased 40 acres of land as a blockchain experiment. The goal was to start a city based on the blockchain, divvy up the land and sell them as NFTs to members.
But it became a target for hackers and a CityDAO Discord admin account was hacked. Lyons800 shared the incident on Twitter:
The attacker created a fake screenshot of a conversation from Lyons800 in another Discord. The person claimed this admin was scamming people. Lyons800 stepped forward to prove it wasn’t him and chatted with the scammer to let them inspect his “console” to verify he wasn’t masking his IP address or identity.
The attacker was able to steal Lyons800’s Discord authentication token and hijack the account. Then, they spread messages in Discord channels of a fake “land drop” of CityDAO NFTs for people to purchase land. Unknowingly, members were sending the money to the scammers crypto wallet. The scammer made off with roughly US$100,000 in the first day and is still receiving and transferring funds.
Lyons800 calls it a “ridiculous security breach from Discord,” but this is a classic social engineering attack where the weakest link is the human, not the technology.