Post-Mortem: Ceramic Discord Breach

What Happened

On Tuesday, August 15, 2023 around 2pm EST, hackers believed to be from the Pink Drainer hacker group breached Ceramic’s Discord server. This resulted in a series of fake airdrop announcements with malicious links that looked like they came from a core team member.

After the hackers infiltrated the server, they immediately removed all core team members and other prominent community members, which effectively disabled us from taking action to stop the attack. Once the core team realized they lost access to Discord, around 2pm EST, they immediately contacted the support team at Discord and posted on Twitter to warn the community. By 6pm the core team regained control of Discord, banned the hackers, and eliminated the threats including malicious links and posts.

In total, the hackers siphoned around $1,710 (0.93476 ETH) from community members who clicked the malicious link in the announcement channel. If you were affected by this phishing attempt please email us at team@3box.io.

Huge thanks to the Metamask, Discord, LearnWeb3, and ENS teams and the multitude of community members who responded so quickly and effectively to help us contain the damage.

How it Happened

Hackers reached out to a core Ceramic team member on Telegram impersonating a prominent mainstream media journalist and requested an interview for a feature. Prior to speaking, they requested the completion of prerequisite consent forms that required the team member to drag and drop a button into their bookmarks and sign into Discord in order to verify their account identity.

After dragging the bookmark into Discord.com through their web browser, the hacker was able to steal the JWT Auth Token of this user’s account from the browser's local storage—bypassing username, password and 2FA. This attack is known as a bookmarklet, you can read more about it here. The hackers only gained access to Discord and no other information was lost or compromised.

This highly-coordinated attack appears to be the work of Pink Drainer, a hacker group that has executed this type of bookmarklet attack on a number of other leading Web3 projects. You can read more about other similar hacks performed by this group here.

Incident & Response Timeline

11:20am EST - Consent forms completed, hack begins

1:50pm EST - Core team members lose access to Ceramic Discord

1:55pm EST - Hackers impersonate Ceramic’s community manager and post fake Ceramic token airdrop announcements

2pm to 6pm EST - Core team engages Discord, MetaMask, Seal 911 team, WalletConnect, LearnWeb3, and ENS for support

6pm EST - Core team regains access to and control of Ceramic Discord

Next Steps

The Ceramic core team will be doubling-down on security while restoring previous roles and settings in Discord. Please reach out to us at team@3box.io if you’ve been affected by the attack.

We take our role of protecting the best interests of our community very seriously and this was certainly not our finest afternoon; however, these types of events are an unfortunate reality of operating in Web3.

We will learn from this misstep, improve, and make sure we continue to serve and protect our community of Web3 builders. Please share any questions or thoughts in the Ceramic forum topic here.