On January 10, CityDAO put out a tweet with an emergency notice to all community members to avoid all claims and posts of a ‘land drop.’
The tweet came after many people had already connected their wallets to a fraudulent smart contract in the hope of free tokens, and subsequently lost their assets.
The fraudulent smart contract links were incredibly successful because they were posted by one of the project’s Discord admins and flagged so everyone in the community would see it.
This admin had been a victim of a social engineering attack which gave the hacker access to their account.
This social engineering tactic was unique and a good lesson to learn for admins. It all started when a user messaged the Discord admin claiming someone with their username was promoting a fake token giveaway.
This is a common thing on Telegram and Discord but the admin thought it was strange that even the unique ID tag was the same. It turned out the imposter was using specific ascii symbols to make their username look identical.
The user then asked for the admin to verify he was the real one. He asked the admin to call him so he could verify who was real and who was the imposter. When the admin called the user the user claimed that the admin was likely masking their IP address to conceal the truth.
The user asked the admin to verify he was not masking his IP address with a link. When the admin clicked the link the hacker was able to get full control of his Discord account.
Once the hacker had full control over the Discord account, they posted announcements about a fake airdrop and limited access to the other admins.
The scam went on until CityDAO made the critical announcement to avoid links in the Discord all together. In total $95,000 worth of the community's funds were stolen.
Social engineering hacks are very common in today’s world and the best way to avoid them is to never trust a link that is sent to you.
There are many industries now that have routine employee education practices to help staff avoid phishing scams.
Unfortunately for this Discord admin, his failure to recognize the phishing scam caused many of the project’s token holders to lose money.