Gods Unchained Discord Hacked
Today the Gods Unchained discord server was hacked. Again.
If you are like many people you may be asking yourself are you compromised? What can you do to protect yourself? Why did this happen?
So now that it has happened, what should you do?
If you connected your wallet to a bad website, disconnect it.
So a discord posting had a flash mint and you followed a link to a website and connected your wallet?
If you didn’t go further than just allowing the bad guy’s website to see your wallet address and public keys (permitted accounts) you should be fine. Afraid they have your wallet address now and can target you? Well, this is the blockchain, every time you mint an NFT everyone can check that NFT’s wallet address and see that your wallet’s address bought the NFT. This would be akin to being overly concerned somebody knew your checking account number at your local bank. Ever notice that account number is printed on every check you write? It isn’t exactly hidden information. Neither is your Metamask wallet’s address.
Still, there is no reason to remain connected to websites you no longer need or don’t want to be connected to. Go ahead and disconnect your wallet from any website you don’t use on a regular basis.
In Metamask:
Click on the vertical ellipses to the right of your account number after you click on your Metamask account:
Select “Connected sites” in the drop-down menu:
For any website you don’t recognize or don’t use on a regular basis click on the trash can.
Confirm you wish to disconnect your wallet from this website.
Don’t worry about disconnecting from a website you want to connect to in the future, you can always re-connect.
For Metamask mobile or additional screenshots of the process you can review: Metamask's instructions on how to disconnect a wallet from a Dapp.
You signed a contract or sent some crypto
I’m sorry to report you likely need to just accept the loss. In the case of a discord hack where an official channel offered up a fraudulent mint link you may be in luck. The better companies, Gods Unchained included, have reimbursed victims for their losses. They don’t need your wallet address to do this (remember everything on the blockchain is open, they can find the amount you paid and reimburse you).
If you think you may have signed a sophisticated contract, shared your wallet’s QR code, or revealed your private keys/seed phrases then you need to act fast. You’d need to create a new wallet and start transferring your assets to your new wallet.
For Gods Unchained you can send your cards to your new wallet by using Token Trove and Once logged in with your old wallet you can use the transfer option when looking at a the bottom left of a card you own:
Best practices to remain safe.
Don’t be a victim…many of us are so tired of seeing the advice below, but please read it once again:
- Don’t give anyone your personal or financial information. This includes your Gods Unchained username / password and the secret seed words to your Metamask or other wallets
- Strangers asking for sensitive information should be ignored or reported. You may have just asked for help in a discord channel or on other social media, but that offer to help that just came to you directly is most likely a scammer. Many people will suggest disabling your DMs on a discord server. Do this if you can’t practice self control and not respond to strangers or verify those that look to be your friend (using a fake account with your friend's avatar)
- Don’t follow links in emails… always go to official website in your browser. Use Google or in most blockchain gaming discords there will be channels with official links pinned in a message
- Even when you are on a website you feel is trusted, review the URL before signing in or performing a transaction. What you are looking for is the correct spelling and the correct domain. Gods Unchained’s official website is a .com, not a .io or any other domain. Make sure it is spelled correctly and is: [https://godsunchained.com/]
- Don’t respond to any sudden NFT mints or other opportunities that are putting a severe time pressure on you to act quickly. Any organization actually doing this in the NFT space should be taken to task. A legitimate opportunity to mint an NFT should be announced in multiple channels (Discord, Twitter, official website, etc.) and offer ample opportunity for people to prepare to get involved. Don’t be greedy and fall for the hurry up and mint hustle.
Why did this happen?
I know it may be easy to throw some shade at the Gods Unchained team for these hacks and there is plenty of blame to go around whenever instances like this happen. This particular hack seems to be the result of the team missing a bot that was slipped in by the hackers.
The Gods Unchained discord hack from January 4th followed along the lines of several other similar attacks. Calling this a hack doesn’t paint a complete picture. Many people will hear the word “hack” and assume there was a software vulnerability exploited or malware used to compromise the system.
Instead the compromise has a lot more to do with social engineering, or tricking somebody to divulge sensitive information. The first time I read about this discord “hack” was from Jenkens the Valet in December. Their explanation of the incident is worth reading if you have the time. In the end it comes down to the bad guy tricking a good guy into showing a code that bypasses Discord’s security for the account, in this case a moderator or admin account. Even if 2fa (two-factor authentication) is turned on the account can still be compromised.
This isn’t limited to Discord. A Bored Ape NFT Collector lost millions of dollars in NFTs to a similar social engineering hack, but this time with Metamask. While the features are in these programs to make it easier on us, the end users, we still need to practice due diligence to avoid being scammed.
Moving Forward
Staying safe while playing Gods Unchained is no different than staying safe online…..or at the supermarket for that matter. Be cautious of strangers, don’t divulge information, and protect your sensitive information. We don’t need to run away to the mountains to be safe, but we do need to be on our toes.
But still have fun, get out there and clobber some other mortals!
Oof, didn't mean to post this quite yet, needed to edit this for typos, misspellings, etc. Also links didn't come through. Sorry about that.
If anyone makes it this far and is interested here are the missing links:
Link to Metamask's mobile instructions on how to disconnect sites: https://metamask.zendesk.com/hc/en-us/articles/360059535551-Disconnect-wallet-from-Dapp
Link to Token Trove for sending cards to another wallet: https://tokentrove.com/
Link to Gods Unchained official site: https://godsunchained.com/
Similar attack to what happened to the Gods Unchained server:
Jenkins discord hack: ~~~ embed:1477923368053706755?s=21 twitter metadata:bGl0dGxlbGVtb25zbmZ0fHxodHRwczovL3R3aXR0ZXIuY29tL2xpdHRsZWxlbW9uc25mdC9zdGF0dXMvMTQ3NzkyMzM2ODA1MzcwNjc1NXw= ~~~
Bored Apes holder has millions stolen: https://beincrypto.com/bored-ape-nft-collector-loses-million-dollar-stash-discord-scammers/
I'll strive to do better next time.
Congratulations @sunnyspooky! You have completed the following achievement on the Hive blockchain and have been rewarded with new badge(s):
Your next target is to reach 200 upvotes.
You can view your badges on your board and compare yourself to others in the Ranking
If you no longer want to receive notifications, reply to this comment with the word
STOPCheck out the last post from @hivebuzz:
Support the HiveBuzz project. Vote for our proposal!
great tips! it doesn't hurt to take extra precautions when GU's discord get's compromised.
Hello, @sunnyspooky! This is @traciyork from the @ocd (Original Content Decentralized) curation team. We noticed you shared your first post here on Hive - congratulations and welcome! And while it was inspired by an awful event (hackers suck), you did an amazing job outlining the situation and providing some awesome information and resources - well done!
It would also be awesome if you could do an introduction post, so our community can get to know you better. For information on how to write an intro post, please check out the SELF INTRODUCTION section of the post 3 things Newbies should do in their first week on Hive.
Speaking of community, we have many different ones here on the blockchain, devoted to all kinds of interests. Here's a link so you can check them all out - Hive Communities . I see you already found the Gods On Chain community, and you might be interested in the Hive Gaming Community as well.
Also, as Hive can sometimes be quite confusing, the newly launched Newbies Guide should be helpful to you, as it is a growing repository of useful and easy to understand posts about how the Hive ecosystem works.
Please be aware that Hive is a bit different from other social media platforms since you are monetizing your blog, so it is important not to include content that you don't own without sources (and it shouldn't exceed 50% of the post). For more information, check this post - Why and How People Abuse and Plagiarise by hivewatchers.
For now, @lovesniper will follow your account and we are looking forward to seeing your intro post. Also, please mention (also known as tagging) @traciyork & @lovesniper in your intro post in order for us to be notified, so we can consider your post for OCD curation. Lastly, feel free to hop into the OCD Discord server if you have any questions!
Thanks, I’ll take a look at those resources and figuring out an introductory post.
Good valuable info!