Just about every NFT project has a Discord server. A Discord server full of hopes for whitelist access, constant streams of @everyone announcements, countless users using fake accounts and bots to “level up” within the server, and more.
Among those hopeful users are scammers. They’re monitoring the server, they’re doing reconnaissance on the admins, and they’re finding vulnerabilities.
Their goals are to steal money from unsuspecting people within that server, and if you don’t set things up properly, they have a good chance of succeeding.
There are a handful of things you can do to reduce the levels of risk.
2FA For All
If you’re using Discord, you need to have 2FA active. It doesn’t matter if you’re an admin of a server or just a member.
Download and set up Google Authenticator on Discord (and every other account that supports it!).
If you’re a server owner, require 2FA for all moderation activities.
Don’t Give Away Your Discord Login Token
A Discord login token is an authentication token that allows for direct access to your Discord account. They are useful but they are dangerous… because they give direct access to your account. They also bypass 2FA completely.
Your Discord login token can be accessed via the developer tools within Discord, and a lot of scammers will attempt to get it from you by asking you to:
- Share your screen with them
- Open up your developer tools
- Navigate to the area where they can see your login token
- Use that login token to access your account
- Screw you over and screw over any servers that you have admin access to
Don’t Use Webhooks
Like many other things, webhooks make life easier but with that extra ease comes extra danger.
If someone gets access to your webhooks, they can control them and post official-looking messages to the Discord server. These messages can contain anything - fake whitelist URLs, phishing URLs - anything that can lead to loss.
Be Careful With Bots
Most popular Discord bots aren’t risky, and a major bot being compromised is quite a rare occurrence. However, rare doesn’t mean impossible.
At one point, the popular MEE6 bot was compromised and used to post fake messages to a Discord server. The fake messages caused a temporary stir but didn’t result in loss.
When installing bots to your Discord, always double-check the permissions they’re requesting - if it can be compromised, it’s good to act as if it will be at some point.
Don’t Allow Scam Bots to See Your Member List
One of the most frustrating things on Discord is getting spammed with DMs from bot accounts that want you to either mint their exciting new NFT collection or visit a phishing site to lose all your money.
Most of these bots simply join the Discord server so they can see the member list and then go down the line DMing everyone, but you can add an extra hoop that hides your member list until the bot takes an extra action to prove they want to be a member of the server.
- Make a #welcome/#rules channel that ALL users get dropped into the first time they join your server.
- Use the carl bot to make a react role so when a user reacts to the message in that channel, they then get a “member/user/guest” role added to their account.
- When they get that role, all other channels in the server become visible, and the welcome/rules channel is NO LONGER visible to them. (This requires changing visibility manually in your channels and making all channels private, but visible to all users with the “member” role.)
This makes it so that if you don’t have the default “member/user/whatever” role in the server, you can only see other people on the member list who don’t have that role as well (aka all scam bots).
But if you do have the default member role in the server, you can’t see other people who don’t have the role (so you can’t see the bots, and the bots can’t see you). This deters scam bots who don’t have the wherewithal to react to the rules/welcome message, and they just sit in the lobby, only able to see other scam bots. So they can’t DM all your server’s ACTUAL users.
This won’t deter human users who purposefully enter servers and post scams and whatever else, but bots are much more prominent.
If you don’t trust servers to protect you from unnecessary DMs, you can disable DMs from members of any server that you’d like. Just right-click the server > Privacy settings > Allow direct messages from server members.
Don’t Give Unnecessary Permissions to Your Mods/Admins
Aside from your own account, your moderators and your admins are the lines of defense to keeping your server safe. Protect your server by being conservative with the permissions you give out to your crew.
This is especially important because scammers can use tools to snoop on user permissions.
This helps them figure out who they can target.
Your Discord server is only as secure as your weakest link, and you need to be treating your servers like Fort Knox.
Spend time learning about risks and vulnerabilities, educate yourself and your Discord mods/admins, and protect your users. Because if you don’t protect them, they can easily lose their money, and that can put a stain on your project and your reputation.