Memeland Discord Server Compromised: Difference between revisions
(More) |
(Another 30 minutes complete.) |
||
| Line 4: | Line 4: | ||
[[File:Memeland.jpg|thumb|Memeland]]Memeland used MEE6, a widely implemented Discord bot which assists with ranking and moderation functions. MEE6 had administrative level access to a wide range of Discord servers where it was set up. One of the MEE6 employee accounts was compromised, and the attackers used that to run widespread phishing attacks on multiple NFT communities, including Memeland. Memeland was particularly susceptible due to the lack of a concrete roadmap, and the NFT space often has a wide range of time-sensitive opportunities. It's unclear exactly how many users were affected, and it seems that no funds have been recovered. MEE6 has apparently not published further details about what happened. | [[File:Memeland.jpg|thumb|Memeland]]Memeland used MEE6, a widely implemented Discord bot which assists with ranking and moderation functions. MEE6 had administrative level access to a wide range of Discord servers where it was set up. One of the MEE6 employee accounts was compromised, and the attackers used that to run widespread phishing attacks on multiple NFT communities, including Memeland. Memeland was particularly susceptible due to the lack of a concrete roadmap, and the NFT space often has a wide range of time-sensitive opportunities. It's unclear exactly how many users were affected, and it seems that no funds have been recovered. MEE6 has apparently not published further details about what happened. | ||
This is a global/international case not involving a specific country.<ref name="nftevening-9721" /><ref name="nftherdertwitter-9722" /><ref name="nftherdertwitter-9723" /><ref name="nftherdertwitter-9724" /><ref name="nftherdertwitter-9725" /><ref name="searchtwitter-9726" /><ref name="beosinalerttwitter-9727" /><ref name="chox3twitter-9728" /><ref name="unknown-5676" /><ref name="blabre97twitter-9729" /><ref name="mekamrantwitter-9730" /><ref name="trickynftstwitter-9731" /><ref name="ryukdevtwitter-9732 | This is a global/international case not involving a specific country.<ref name="nftevening-9721" /><ref name="nftherdertwitter-9722" /><ref name="nftherdertwitter-9723" /><ref name="nftherdertwitter-9724" /><ref name="nftherdertwitter-9725" /><ref name="searchtwitter-9726" /><ref name="beosinalerttwitter-9727" /><ref name="chox3twitter-9728" /><ref name="unknown-5676" /><ref name="blabre97twitter-9729" /><ref name="mekamrantwitter-9730" /><ref name="trickynftstwitter-9731" /><ref name="ryukdevtwitter-9732" /> | ||
== About Memeland == | == About Memeland == | ||
| Line 26: | Line 26: | ||
"[H]olders of Memeland PFPs have full commercial art rights for the Memeland PFPs they own." "Memeland will receive 6.9% of all secondary sales." "Unlike lonely NFTs which can only be held in your wallet, Memeland is going to give you value and each Memeland PFP (aka Captain) unlocks utilities like Private club membership, Exclusive access to the creator NFT marketplace, IRL (In Real Life) events, Upcoming 9GAG drops and projects, And more." | "[H]olders of Memeland PFPs have full commercial art rights for the Memeland PFPs they own." "Memeland will receive 6.9% of all secondary sales." "Unlike lonely NFTs which can only be held in your wallet, Memeland is going to give you value and each Memeland PFP (aka Captain) unlocks utilities like Private club membership, Exclusive access to the creator NFT marketplace, IRL (In Real Life) events, Upcoming 9GAG drops and projects, And more." | ||
Quoting Warren Buffett:<ref name="memelandtwitter-9752" /> | |||
== About MEE6 == | == About MEE6 == | ||
| Line 89: | Line 91: | ||
|May 17th, 2022 8:10:00 PM MDT | |May 17th, 2022 8:10:00 PM MDT | ||
|UnusualEss Tweet | |UnusualEss Tweet | ||
|"here appears to be a hack involving MEE6 circling different servers,memeland/moonbirds discord affected.Remember to never click any surprise links,Stay vigilant out there frens & watch out for any other discord hacks.<ref name="unusualesstwitter-9754" />. | |Twitter user UnusualEss reports that "[t]here appears to be a hack involving MEE6 circling different servers,memeland/moonbirds discord affected.Remember to never click any surprise links,Stay vigilant out there frens & watch out for any other discord hacks.<ref name="unusualesstwitter-9754" />. | ||
|- | |- | ||
|May 17th, 2022 8:17:00 PM MDT | |May 17th, 2022 8:17:00 PM MDT | ||
| | |PeckShield Alert Tweet | ||
| | |PeckShield posts an alert tweet to warn the NFT community of the attack, referencing accounts for NFT projects CyberConnect, RTFKT, Moonbirds, and Memeland<ref name="peckshieldalerttwitter-9750" />. | ||
|- | |||
|May 17th, 2022 8:31:00 PM MDT | |||
|Zeneca Warning Tweet | |||
|"Hearing multiple reports that the Mee6 bot has been compromised and certain high-profile Discord servers have been hacked all at once (RTFKT, PROOF/Moonbirds, PXN, Memeland)"<ref name="zeneca33twitter-9734" />. | |||
|- | |- | ||
|May 17th, 2022 8:55:00 PM MDT | |May 17th, 2022 8:55:00 PM MDT | ||
|NFTherder Announces Breach | |NFTherder Announces Breach | ||
|NFTherder announces a breach on Twitter, and notes that "PXN, RTKFT, [and] Moonbirds discord admin accounts [were] compromised" and "MEE6 was not hacked. Admins in the servers where compromised." He warns users to "not click any fake mints"<ref name="nftherdertwitter-97172">[https://twitter.com/NFTherder/status/1526758429636931585 NFTherder - "PXN, RTKFT, Moonbirds discord admin accounts compromised. Do not click any fake mints" - Twitter] (Nov 23, 2022)</ref>. | |NFTherder announces a breach on Twitter, and notes that "PXN, RTKFT, [and] Moonbirds discord admin accounts [were] compromised" and "MEE6 was not hacked. Admins in the servers where compromised." He warns users to "not click any fake mints"<ref name="nftherdertwitter-97172">[https://twitter.com/NFTherder/status/1526758429636931585 NFTherder - "PXN, RTKFT, Moonbirds discord admin accounts compromised. Do not click any fake mints" - Twitter] (Nov 23, 2022)</ref>. | ||
|- | |||
|May 17th, 2022 9:48:00 PM MDT | |||
|Ryuk Developer Warning | |||
|Ryuk publishes a warning on Twitter about high profile discords being hacked including RTFKT, Memeland, PXN, Moonbirds, and Cool Cats "within the last hour" and "recommend[s] removing MEE6 from your servers"<ref name="ryukdevtwitter-97322">[https://twitter.com/ryuk_dev/status/1526771791959453696 Ryuk - "Lots of high profile discords (RTFKT, Memeland, PXN, Moonbirds, Cool Cats) all hacked within the last hour. To be safe, I would recommend removing MEE6 from your servers." - Twitter] (Nov 24, 2022)</ref><ref name="ryukdevtwitter-9732" />. | |||
|- | |||
|May 18th, 2022 3:22:00 AM MDT | |||
|Jacob H List Published | |||
|Jacob H publishes a list of "[s]ervers hit in the last 8 hours via MEE6" which include RTFKT (165k), | |||
Alien Frens (74k), Cool Cats (101k), PXN (32k), HAPE (479k), Axie Infinity (739k), PSSSD (80k), My Pet Hooligans (31k), Blockworks (6k), Moonbirds/PROOF (17k), Memeland/9GAG (238k), and Magic Eden (194k)<ref name="lukenamoptwitter-9733" />. | |||
|- | |- | ||
|May 18th, 2022 3:50:10 AM MDT | |May 18th, 2022 3:50:10 AM MDT | ||
| Line 114: | Line 129: | ||
|Tweets About Discord Hack | |Tweets About Discord Hack | ||
|The recent hack is referenced by Twitter user rektnft1178<ref name="rektnft1178twitter-9710" />. TBD expand. | |The recent hack is referenced by Twitter user rektnft1178<ref name="rektnft1178twitter-9710" />. TBD expand. | ||
|- | |||
|May 18th, 2022 9:37:00 AM MDT | |||
|Idea For Reimbursement Floated | |||
|NFTHerder floats the idea that the MEE6 bot developers should reimburse those users who were affected by the loss. "MEE6's employee account was breached & scammers used that account to execute the scams and steal eth. MEE6 support denied it for hours yesterday"<ref name="nftherdertwitter-9747" /> | |||
|- | |- | ||
|May 19th, 2022 3:13:20 PM MDT | |May 19th, 2022 3:13:20 PM MDT | ||
| Line 134: | Line 153: | ||
|Memeland Adds Joey Lu | |Memeland Adds Joey Lu | ||
|The Memeland project announces they are adding Joey Lu to their team<ref name="memelandtwitter-9698" />. | |The Memeland project announces they are adding Joey Lu to their team<ref name="memelandtwitter-9698" />. | ||
|- | |||
|May 30th, 2022 10:12:00 AM MDT | |||
|NFTHerder Publishes Discord Hack List | |||
|This incident is included in a list of Discord hacks published by NFTHerder<ref name="nftherdertwitter-9748" />. | |||
|- | |- | ||
|May 31st, 2022 11:15:22 AM MDT | |May 31st, 2022 11:15:22 AM MDT | ||
| Line 162: | Line 185: | ||
|Memeland Launches A New Website | |Memeland Launches A New Website | ||
|The Memeland project announces their new website<ref name="memelandtwitter-9706" />. | |The Memeland project announces their new website<ref name="memelandtwitter-9706" />. | ||
|- | |||
|November 19th, 2022 7:34:00 AM MST | |||
|Continuing To Promote | |||
|Memeland continues to promote further on Twitter<ref name="memelandtwitter-9751" />. | |||
|} | |} | ||
== Technical Details == | |||
=== Explanation of Attack By 777Skits === | |||
777Skits published a tweet with a breakdown of the new account hacking method being used<ref name="777skitstwitter-9737" />.<blockquote>"MEE6 Hack" & "New Account Hacking Method" | |||
The recent discord hacks utilizing MEE6 and compromised admin accounts: | |||
First they will hack an admin account. | |||
Secondly they will create a reaction role feature from MEE6 to give an alternate account admin. | |||
Using this method, they will be able to send webbook messages while hiding who the compromised administrator account is. | |||
Making it more difficult to stop the attack. The best way is to remove MEE6/the webbooks right away rather then trying to identify the compromised account. | |||
So there is this new social engineering method that is very convincing: | |||
This is targeting mainly higher ups in projects: Two things that they use, Collaboration requests with high scale projects, and offering job opportunity's. | |||
They will seem quite convincing. They will then get you into "their" discord server. There will be a fake verification bot, this will most likely be imitating captcha bot, or wickbot. The server will have members and look very legit | |||
Once you interact with these fake bots they will snag your discord token, giving them instant access to your account without 2FA or your password. | |||
How to prevent?: | |||
Always verify the legitimacy of who you are speaking with. | |||
If you join a server and have to verify, always double check if it's the actual bot. | |||
You can ask the person you are working with to be auto roled.</blockquote> | |||
== Total Amount Lost == | == Total Amount Lost == | ||
| Line 173: | Line 231: | ||
<ref name="rektnft1178twitter-9710" /> TBD | <ref name="rektnft1178twitter-9710" /> TBD | ||
=== Warnings on Twitter === | |||
Multiple Twitter users stepped up to warn others about the hack<ref name="unusualesstwitter-9754" />.<blockquote>There appears to be a hack involving MEE6 circling different servers,memeland/moonbirds discord affected.Remember to never click any surprise links,Stay vigilant out there frens & watch out for any other discord hacks.</blockquote> | |||
== Ultimate Outcome == | == Ultimate Outcome == | ||
| Line 178: | Line 239: | ||
Continuing to promote<ref name="memelandtwitter-9699" /><ref name="memelandtwitter-9704" /><ref name="memelandtwitter-9705" /> including launching a new website<ref name="memelandtwitter-9706" /> and launching another stage 5 of artwork<ref name="memelandtwitter-9707" /><ref name="memelandtwitter-9708" /><ref name="youtube-9709" />. | Continuing to promote<ref name="memelandtwitter-9699" /><ref name="memelandtwitter-9704" /><ref name="memelandtwitter-9705" /> including launching a new website<ref name="memelandtwitter-9706" /> and launching another stage 5 of artwork<ref name="memelandtwitter-9707" /><ref name="memelandtwitter-9708" /><ref name="youtube-9709" />. | ||
<ref name="memelandtwitter-9751" /> | |||
=== Memelist Publishes Partner List === | |||
Memelist published a spreadsheet with all of their giveaway partners listed to avoid any confusion in the future<ref name="googledoc-9753" />. | |||
== Total Amount Recovered == | == Total Amount Recovered == | ||
| Line 248: | Line 314: | ||
<ref name="trickynftstwitter-9731">[https://twitter.com/Tricky_NFTs/status/1526849651546144769 @Tricky_NFTs Twitter] (Nov 24, 2022)</ref> | <ref name="trickynftstwitter-9731">[https://twitter.com/Tricky_NFTs/status/1526849651546144769 @Tricky_NFTs Twitter] (Nov 24, 2022)</ref> | ||
<ref name="ryukdevtwitter-9732">[https://twitter.com/ryuk_dev/status/1526771791959453696 @ryuk_dev Twitter] (Nov 24, 2022)</ref> | <ref name="ryukdevtwitter-9732">[https://twitter.com/ryuk_dev/status/1526771791959453696 @ryuk_dev Twitter] (Nov 24, 2022)</ref> | ||
<ref name="lukenamoptwitter-9733">[https://twitter.com/lukenamop/status/1526855835527303171 | <ref name="lukenamoptwitter-9733">[https://twitter.com/lukenamop/status/1526855835527303171 Jacob H - "Servers hit in the last 8 hours via MEE6" - Twitter] (Nov 24, 2022)</ref> | ||
<ref name="zeneca33twitter-9734">[https://twitter.com/Zeneca_33/status/1526752181122224129 | <ref name="zeneca33twitter-9734">[https://twitter.com/Zeneca_33/status/1526752181122224129 Zeneca_33 - "Hearing multiple reports that the Mee6 bot has been compromised and certain high-profile Discord servers have been hacked all at once (RTFKT, PROOF/Moonbirds, PXN, Memeland). " - Twitter] (Nov 24, 2022)</ref> | ||
<ref name="nftherdertwitter-9747">[https://twitter.com/NFTherder/status/1526950199767314432 | <ref name="nftherdertwitter-9747">[https://twitter.com/NFTherder/status/1526950199767314432 NFTherder - "MEE6's employee account was breached & scammers used that account to execute the scams and steal eth. MEE6 support denied it for hours yesterday" - Twitter] (Nov 24, 2022)</ref> | ||
<ref name="nftherdertwitter-9748">[https://twitter.com/NFTherder/status/1531307520366632964 @ | <ref name="nftherdertwitter-9748">[https://twitter.com/NFTherder/status/1531307520366632964 NFTherder - "In May, 70 discords got exploited including big projects like @RTFKT and @coolcatsnft. Even OpenSea's official discord was breached!" - Twitter] (Nov 24, 2022)</ref> | ||
<ref name="777skitstwitter-9737">[https://twitter.com/777Skits/status/1526775285164691457 | <ref name="777skitstwitter-9737">[https://twitter.com/777Skits/status/1526775285164691457 777Skits - "The recent discord hacks utilizing MEE6 and compromised admin accounts:" - Twitter] (Nov 23, 2022)</ref> | ||
<ref name="peckshieldalerttwitter-9750">[https://twitter.com/PeckShieldAlert/status/1526748738068156417 @ | <ref name="peckshieldalerttwitter-9750">[https://twitter.com/PeckShieldAlert/status/1526748738068156417 PeckShield Alert - "#PeckShieldAlert #phishing Seems like several #NFT discords were compromised. Stay safe! @CyberConnectHQ @proof_xyz @RTFKT @Moonbirds @memeland #NFT community share to raise awareness." - Twitter] (Nov 24, 2022)</ref> | ||
<ref name="memelandtwitter-9751">[https://twitter.com/Memeland/status/1593975926584643587 | <ref name="memelandtwitter-9751">[https://twitter.com/Memeland/status/1593975926584643587 Memeland - "It's boring to talk about Memeland every day. It's boring (and arrogant) to retweet posts that talk about how bullish Memeland is every day. Now you tell me, what should we talk about here?" - Twitter] (Nov 24, 2022)</ref> | ||
<ref name="memelandtwitter-9752">[https://twitter.com/Memeland/status/1592469336937365506 | <ref name="memelandtwitter-9752">[https://twitter.com/Memeland/status/1592469336937365506 Memeland - "This was written 36 years ago. Still a good read today." Warren Buffett Quote - Twitter] (Nov 24, 2022)</ref> | ||
<ref name="googledoc-9753">[https://docs.google.com/spreadsheets/d/1xOqqGZ1Wlz734v7hxhUQfaqKWcwvO8TbRcGW0aVtfLY/edit#gid=0 Memelist Giveaway Partners - Google Sheets] (Nov 24, 2022)</ref> | <ref name="googledoc-9753">[https://docs.google.com/spreadsheets/d/1xOqqGZ1Wlz734v7hxhUQfaqKWcwvO8TbRcGW0aVtfLY/edit#gid=0 Memelist Giveaway Partners - Google Sheets] (Nov 24, 2022)</ref> | ||
<ref name="unusualesstwitter-9754">[https://twitter.com/UnusualEss/status/1526746927760564225 UnusualEss - "There appears to be a hack involving MEE6 circling different servers,memeland/moonbirds discord affected.Remember to never click any surprise links,Stay vigilant out there frens & watch out for any other discord hacks." - Twitter] (Nov 24, 2022)</ref> | <ref name="unusualesstwitter-9754">[https://twitter.com/UnusualEss/status/1526746927760564225 UnusualEss - "There appears to be a hack involving MEE6 circling different servers,memeland/moonbirds discord affected.Remember to never click any surprise links,Stay vigilant out there frens & watch out for any other discord hacks." - Twitter] (Nov 24, 2022)</ref> | ||
Revision as of 11:53, 12 June 2023
Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' and 'General Prevention' sections to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
Memeland used MEE6, a widely implemented Discord bot which assists with ranking and moderation functions. MEE6 had administrative level access to a wide range of Discord servers where it was set up. One of the MEE6 employee accounts was compromised, and the attackers used that to run widespread phishing attacks on multiple NFT communities, including Memeland. Memeland was particularly susceptible due to the lack of a concrete roadmap, and the NFT space often has a wide range of time-sensitive opportunities. It's unclear exactly how many users were affected, and it seems that no funds have been recovered. MEE6 has apparently not published further details about what happened.
This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9][10][11][12][13]
About Memeland
Homepage:[14]
OpenSea:[15]
Twitter:[16]
"BRING OWNERSHIP TO EVERY COMMUNITY IN THE WORLD. From the team that brought you 9GAG comes Memeland, a web3-focused venture studio. We are building and investing in social products for community, with community. We are connecting creators and communities together through creativity, $MEME, and NFTs."
"Memeland is a collection of 9,999 utility-enabled PFPs." "They ran a blind auction for “YOU THE REAL MVP” to let their community set the price. The final price goes to 5.3 ETH, and now FP sits at 32 ETH." "“The Potatoz” is a collection of 9,999 utility-enabled PFPs launched on Jul. 21 [2022]. Each Potatoz is your entry ticket into the great Memeland ecosystem." "The Potatoz completing more than 9,700 ETH ($16 million) worth of secondary marketplace transactions up to now. The floor price for The Potatoz is currently 1.45 ETH."
"Founded in 2008, 9GAG behind Memeland NFT has a global audience of 200 million, across its website, apps, Instagram, Facebook, and Twitter." "When we started 9GAG in 2008, we were nobody, and we knew nothing. We joined 500 Startups in 2011, raised seed funding, joined Y Combinator in 2012, and never stopped shipping. A decade later, we are still nobody, but 9GAG now has a global audience of 200 million across different social platforms." "Famous celebrities like @kevinrose and @garyvee are all involved in this project."
"Today, we are trying something new. With the help of blockchain technology, we want to invite you to join us and build our community and company together. As with all things 9GAG, we like to under-promise and over-deliver. We don't know how big Memeland will become, but we promise we will give our best." "Elements like a broken sea, pirate crews, treasure island, sea monster, and of course…memes are all showing in the form of really cool pixels."
"On top of it, Memeland does not have a specific roadmap and follows a dynamic plan." "They said that there is no road at sea, so there is no roadmap." "Go slow to go fast." "Mint date? Not today. Mint price? Not cheap. Roadmap? No roadmap. What now? Follow @MEMELAND." "We made our announcement only 1 month ago. Web3 moves fast but we are here to stay. Good things take time."
"[H]olders of Memeland PFPs have full commercial art rights for the Memeland PFPs they own." "Memeland will receive 6.9% of all secondary sales." "Unlike lonely NFTs which can only be held in your wallet, Memeland is going to give you value and each Memeland PFP (aka Captain) unlocks utilities like Private club membership, Exclusive access to the creator NFT marketplace, IRL (In Real Life) events, Upcoming 9GAG drops and projects, And more."
Quoting Warren Buffett:[20]
About MEE6
"MEE6 is a 2-year-old Discord bot known for Levels, Auto-moderation, and its' paid music/record features. We also offer Reddit/Twitch/YouTube notifications, timers, custom commands, and other moderation features." "The best Discord Bot for your server." "Configure moderation, leveling, Twitch alerts, and much more with the most easy-to-use dashboard!" "Take advantage of the welcome message to inform newcomers about your server rules, topic, or ongoing events. You can design your own welcome card or keep it simple."
"MEE6 gives you full control to create the command of your dreams! Create commands that automatically give and remove roles and send messages in the current channels or in user's DM." "Notify your server when you or your favorite content creators begin to stream, upload, and post content." "MEE6, the Discord Bot trusted by 19+ million servers." "Mekaverse, Doodles, CyberKongz, VeeFriends, CoolCats, and RTFKT all use MEE6 everyday to manage their Discord server. More than 60,000 NFT & crypto Discord servers setup MEE6 every month, and that number is growing fast."
"Another tweet was shared by PeckShield, a blockchain cybersecurity firm, warning users about compromised NFT Discord Server of Memeland, RTFKT, PROOF/Moonbirds and infrastructure company Cyberconnect."
"YOUR DISCORD IS HACKED, CHECK ANNOUCEMENT, SOMEONE SENDED SCAM LINK, ALL CHANEL ARE CLOSED."
"Cyberconnect and Memeland confirmed the hack on their Twitter feeds and warned users to avoid clicking on any link on Discord. Cyberconnect caution that the project will never ask for their private keys." "Memeland also alerted users on Twitter and inside Discord, where the project posted a message saying a compromised bot posted announcements with “fake links.”"
"@NFTherder singled out the MEE6 Discord bot as problematic. This Discord plugin, used by over 18 million servers, allows users to assign roles themselves by using Discord reactions. It is also a basic moderator and can send administration messages."
"26 of the 70 discords [compromised in May 2022] were compromised through the @mee6bot." "Turns out there was some truth about the MEE6 compromise: MEE6 wasn't hacked itself however an employee of their company had their account breached & scammers used that account to execute their scam. Question is, did the employee fall for a phishing link or was it a bribe? Crazy."
"A team member of Memeland noted, “a discord bot (mee6) seems to be compromised across various high profile servers.” The mee6 bot is used by the server owners to automate welcome messages and inform about the server rules, events and topics."
"MEE6's employee account was breached & scammers used that account to execute the scams and steal eth. MEE6 support denied it for hours yesterday [before later admitting what happened]."
MEE6 released a statement after the event: "Some servers have reported MEE6 being used to post unwanted messages. There is no technical breach in our systems. This was due to one of our employee's account getting compromised. The issue is now fixed and we've taken all the steps to make sure it never happens again. We take security very seriously, and will always be committed not only to keep our systems safe but also add extra measures to protect servers from accounts being compromised."
NFTHerder reports he "reached out to affected servers as well and they confirmed MEE6 hasn't shared a detailed report or offered reimbursements of misappropriated nfts/eth." "MEE6 has yet to release a detailed report." "[N]o intentions to refund. [T]hey won’t release a public statement cause scared of fud. [E]mployees can still remote access any server."
This is a global/international case not involving a specific country.
The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.
Include:
- Known history of when and how the service was started.
- What problems does the company or service claim to solve?
- What marketing materials were used by the firm or business?
- Audits performed, and excerpts that may have been included.
- Business registration documents shown (fake or legitimate).
- How were people recruited to participate?
- Public warnings and announcements prior to the event.
Don't Include:
- Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
- Anything that wasn't reasonably knowable at the time of the event.
There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
| Date | Event | Description |
|---|---|---|
| May 17th, 2022 8:10:00 PM MDT | UnusualEss Tweet | Twitter user UnusualEss reports that "[t]here appears to be a hack involving MEE6 circling different servers,memeland/moonbirds discord affected.Remember to never click any surprise links,Stay vigilant out there frens & watch out for any other discord hacks.[23]. |
| May 17th, 2022 8:17:00 PM MDT | PeckShield Alert Tweet | PeckShield posts an alert tweet to warn the NFT community of the attack, referencing accounts for NFT projects CyberConnect, RTFKT, Moonbirds, and Memeland[24]. |
| May 17th, 2022 8:31:00 PM MDT | Zeneca Warning Tweet | "Hearing multiple reports that the Mee6 bot has been compromised and certain high-profile Discord servers have been hacked all at once (RTFKT, PROOF/Moonbirds, PXN, Memeland)"[25]. |
| May 17th, 2022 8:55:00 PM MDT | NFTherder Announces Breach | NFTherder announces a breach on Twitter, and notes that "PXN, RTKFT, [and] Moonbirds discord admin accounts [were] compromised" and "MEE6 was not hacked. Admins in the servers where compromised." He warns users to "not click any fake mints"[26]. |
| May 17th, 2022 9:48:00 PM MDT | Ryuk Developer Warning | Ryuk publishes a warning on Twitter about high profile discords being hacked including RTFKT, Memeland, PXN, Moonbirds, and Cool Cats "within the last hour" and "recommend[s] removing MEE6 from your servers"[27][13]. |
| May 18th, 2022 3:22:00 AM MDT | Jacob H List Published | Jacob H publishes a list of "[s]ervers hit in the last 8 hours via MEE6" which include RTFKT (165k),
Alien Frens (74k), Cool Cats (101k), PXN (32k), HAPE (479k), Axie Infinity (739k), PSSSD (80k), My Pet Hooligans (31k), Blockworks (6k), Moonbirds/PROOF (17k), Memeland/9GAG (238k), and Magic Eden (194k)[28]. |
| May 18th, 2022 3:50:10 AM MDT | Vauld Insights Article | Vauld Insights publishes an article on the situation. They cover over the attack and note that "Memeland, RTFKT, CLONEX, PXN, and Moonbird were compromised along with the NFT video game Axie Infinity". According to the article, MEE6 was denying the hacking claim at this time[29]. |
| May 18th, 2022 6:23:00 AM MDT | MEE6 Twitter Acknowledgement | The MEE6 Twitter account publicly acknowledges the attack. They report it was due to one of their employee's accounts getting compromised, and they've taken "all the steps" to make sure it never happens again[30][31]. |
| May 18th, 2022 6:32:00 AM MDT | Vice Article on Attack | The hack is included in a Vice article[32]. TBD explore. |
| May 19th, 2022 8:26:00 AM MDT | Tweets About Discord Hack | The recent hack is referenced by Twitter user rektnft1178[33]. TBD expand. |
| May 18th, 2022 9:37:00 AM MDT | Idea For Reimbursement Floated | NFTHerder floats the idea that the MEE6 bot developers should reimburse those users who were affected by the loss. "MEE6's employee account was breached & scammers used that account to execute the scams and steal eth. MEE6 support denied it for hours yesterday"[34] |
| May 19th, 2022 3:13:20 PM MDT | VPNOverview Article Published | VPNOverview publishes an article about the NFT channels being exploited[35]. |
| May 22nd, 2022 6:04:00 AM MDT | Memeland Urges Patience | Memeland posts to urge user to have patience, but is quite vague about when they will be launching their NFT project[36][16]. |
| May 23rd, 2022 8:00:00 AM MDT | CPO Magazine Article Published | CPO Magazine publishes an article on the exploits[37]. |
| May 24th, 2022 5:11:00 PM MDT | Discord Hack Announced | Twitter user Lovell reports on the hacked Discord[38]. TBD Is this the same hack? |
| May 29th, 2022 9:56:00 PM MDT | Memeland Adds Joey Lu | The Memeland project announces they are adding Joey Lu to their team[39]. |
| May 30th, 2022 10:12:00 AM MDT | NFTHerder Publishes Discord Hack List | This incident is included in a list of Discord hacks published by NFTHerder[40]. |
| May 31st, 2022 11:15:22 AM MDT | Business News Article | The online Business News site publishes an article about the situation[41]. |
| June 2nd, 2022 7:44:00 AM MDT | ThreatPost Article | An article is shared by ThreatPost which references the situation[42]. TBD review. |
| June 5th, 2022 7:43:00 PM MDT | Memeland Discord Is Unlocked | Memeland announces that they are unlocking the Discord[43]. |
| June 8th, 2022 3:53:00 AM MDT | NFTherder Public Criticism | NFTherder posts at "3 weeks" later that it's "[t]ime to stop using MEE6" because there are "[n]o official report or refunds" and shares the NFTEvening article[44]. |
| June 14th, 2022 7:56:00 AM MDT | Inclusion In Vice Article | The Discord attack is included in the Vice article[45]. TBD review |
| July 17th, 2022 6:01:00 PM MDT | Kev Brown Publishes Discord Hack List | This attack is included in a list published by Twitter user Kev Brown of all the Discord hacks which have been noted[46]. TBD spread to other cases. |
| October 15th, 2022 2:31:00 PM MDT | Memeland Launches A New Website | The Memeland project announces their new website[47]. |
| November 19th, 2022 7:34:00 AM MST | Continuing To Promote | Memeland continues to promote further on Twitter[48]. |
Technical Details
Explanation of Attack By 777Skits
777Skits published a tweet with a breakdown of the new account hacking method being used[49].
"MEE6 Hack" & "New Account Hacking Method"
The recent discord hacks utilizing MEE6 and compromised admin accounts:
First they will hack an admin account.
Secondly they will create a reaction role feature from MEE6 to give an alternate account admin.
Using this method, they will be able to send webbook messages while hiding who the compromised administrator account is.
Making it more difficult to stop the attack. The best way is to remove MEE6/the webbooks right away rather then trying to identify the compromised account.
So there is this new social engineering method that is very convincing:
This is targeting mainly higher ups in projects: Two things that they use, Collaboration requests with high scale projects, and offering job opportunity's.
They will seem quite convincing. They will then get you into "their" discord server. There will be a fake verification bot, this will most likely be imitating captcha bot, or wickbot. The server will have members and look very legit
Once you interact with these fake bots they will snag your discord token, giving them instant access to your account without 2FA or your password.
How to prevent?:
Always verify the legitimacy of who you are speaking with.
If you join a server and have to verify, always double check if it's the actual bot.
You can ask the person you are working with to be auto roled.
Total Amount Lost
The total amount lost is unknown.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
[33] TBD
Warnings on Twitter
Multiple Twitter users stepped up to warn others about the hack[23].
There appears to be a hack involving MEE6 circling different servers,memeland/moonbirds discord affected.Remember to never click any surprise links,Stay vigilant out there frens & watch out for any other discord hacks.
Ultimate Outcome
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
Continuing to promote[50][51][52] including launching a new website[47] and launching another stage 5 of artwork[53][54][55].
Memelist Publishes Partner List
Memelist published a spreadsheet with all of their giveaway partners listed to avoid any confusion in the future[56].
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
General Prevention Policies
The primary issue was related to the security of the Discord server, which granted additional unnecessary permissions to the MEE6 bot. The widespread bot access should not fall under the control of a single employee or system, which may form a fundamental design limitation of Discord or the MEE6 bot system.
NFT traders can avoid falling victim to such fraud by not making rushed decisions, double checking any promotions against multiple sources, and avoiding any mints that seem to be too good to be true.
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ MEE6 Discord Bot Accused of Negligence (Nov 23, 2022)
- ↑ @NFTherder Twitter (Nov 23, 2022)
- ↑ @NFTherder Twitter (Nov 23, 2022)
- ↑ @NFTherder Twitter (Nov 23, 2022)
- ↑ @NFTherder Twitter (Nov 23, 2022)
- ↑ @search Twitter (Nov 23, 2022)
- ↑ @BeosinAlert Twitter (Nov 24, 2022)
- ↑ [ https://twitter.com/CHOX3__/status/1519240898437328898%7CNov 24 @CHOX3__ Twitter] (Nov 24, 2022)
- ↑ [ ] (Jan 16, 2022)
- ↑ @Blabre97 Twitter (Nov 24, 2022)
- ↑ @mekamran Twitter (Nov 24, 2022)
- ↑ @Tricky_NFTs Twitter (Nov 24, 2022)
- ↑ 13.0 13.1 @ryuk_dev Twitter (Nov 24, 2022)
- ↑ Memeland (Nov 17, 2022)
- ↑ https://opensea.io/9GAGLABS (Nov 21, 2022)
- ↑ 16.0 16.1 Memeland - "Go slow to go fast." - Twitter (Nov 21, 2022)
- ↑ What Is Memeland Nft By 9gag Not Just A Jpeg But Utility Enabled Pfps (Nov 22, 2022)
- ↑ What Is Memeland's Potatoz NFT? - 101 Blockchains (Nov 22, 2022)
- ↑ Memeland NFT Review: Team, Utility, Roadmap And More (Nov 22, 2022)
- ↑ Memeland - "This was written 36 years ago. Still a good read today." Warren Buffett Quote - Twitter (Nov 24, 2022)
- ↑ Discord Bot | MEE6 (Nov 23, 2022)
- ↑ MEE6 | Discord Bots | Discords.com (Nov 23, 2022)
- ↑ 23.0 23.1 UnusualEss - "There appears to be a hack involving MEE6 circling different servers,memeland/moonbirds discord affected.Remember to never click any surprise links,Stay vigilant out there frens & watch out for any other discord hacks." - Twitter (Nov 24, 2022)
- ↑ PeckShield Alert - "#PeckShieldAlert #phishing Seems like several #NFT discords were compromised. Stay safe! @CyberConnectHQ @proof_xyz @RTFKT @Moonbirds @memeland #NFT community share to raise awareness." - Twitter (Nov 24, 2022)
- ↑ Zeneca_33 - "Hearing multiple reports that the Mee6 bot has been compromised and certain high-profile Discord servers have been hacked all at once (RTFKT, PROOF/Moonbirds, PXN, Memeland). " - Twitter (Nov 24, 2022)
- ↑ NFTherder - "PXN, RTKFT, Moonbirds discord admin accounts compromised. Do not click any fake mints" - Twitter (Nov 23, 2022)
- ↑ Ryuk - "Lots of high profile discords (RTFKT, Memeland, PXN, Moonbirds, Cool Cats) all hacked within the last hour. To be safe, I would recommend removing MEE6 from your servers." - Twitter (Nov 24, 2022)
- ↑ Jacob H - "Servers hit in the last 8 hours via MEE6" - Twitter (Nov 24, 2022)
- ↑ NFT Discord Hack: Mee6 Discord Bot Hack Triggers A Domino Effect - Vauld Insights (Nov 23, 2022)
- ↑ mee6bot - "Some servers have reported MEE6 being used to post unwanted messages." - Twitter (Nov 23, 2022)
- ↑ NFTherder - "Turns out there was some truth about the MEE6 compromise: MEE6 wasn't hacked itself however an employee of their company had their account breached" - Twitter (Nov 23, 2022)
- ↑ Hackers Compromise a String of NFT Discord Channels - Vice (Nov 23, 2022)
- ↑ 33.0 33.1 rektnft1178 - "DEFINITELY HACKERSSS!!!! THEY RUIN EVERYTHING!!" - Twitter (Nov 22, 2022)
- ↑ NFTherder - "MEE6's employee account was breached & scammers used that account to execute the scams and steal eth. MEE6 support denied it for hours yesterday" - Twitter (Nov 24, 2022)
- ↑ Hackers Use Discord Bot to Infiltrate NFT Channels in Phishing Attack - VPNOverview (Nov 24, 2022)
- ↑ 9gagceo - "Mint date? Not today. Mint price? Not cheap. Roadmap? No roadmap. What now? Follow @MEMELAND." -Twitter (Nov 22, 2022)
- ↑ Multiple NFT Projects Attacked After Commonly-Used "Mee6" Discord Bot Hacked - CPO Magazine (Nov 23, 2022)
- ↑ Lovell_eth - "YOUR DISCORD IS HACKED, CHECK ANNOUCEMENT, SOMEONE SENDED SCAM LINK, ALL CHANEL ARE CLOSED" - Twitter (Nov 22, 2022)
- ↑ Memeland - "we are very excited to announce our latest crew member! Please welcome Mamypoko aka @joey_lu." - Twitter (Nov 22, 2022)
- ↑ NFTherder - "In May, 70 discords got exploited including big projects like @RTFKT and @coolcatsnft. Even OpenSea's official discord was breached!" - Twitter (Nov 24, 2022)
- ↑ NFT Twitter accuses discord bot MEE6 of negligence - Business News (Nov 24, 2022)
- ↑ Scammers Target NFT Discord Channel | Threatpost (Jul 17, 2022)
- ↑ Memeland - "Unlocking @MEMELAND Discord today." - Twitter (Nov 22, 2022)
- ↑ NFTherder - "3 weeks since between 200/300E was stolen cause a @mee6bot employee had remote admin access to nft servers he wasn't supposed to have. No official report or refunds." Twitter (Nov 23, 2022)
- ↑ Wave of Discord Hacks Is Making the Crypto Crash More Painful for Investors - Vice (Nov 23, 2022)
- ↑ KevBrownGB - "Be careful out there people. This is how back it has been" - Twitter (Nov 22, 2022)
- ↑ 47.0 47.1 Memeland - "As promised, the new @Memeland website is launched!" - Twitter (Nov 22, 2022)
- ↑ 48.0 48.1 Memeland - "It's boring to talk about Memeland every day. It's boring (and arrogant) to retweet posts that talk about how bullish Memeland is every day. Now you tell me, what should we talk about here?" - Twitter (Nov 24, 2022)
- ↑ 777Skits - "The recent discord hacks utilizing MEE6 and compromised admin accounts:" - Twitter (Nov 23, 2022)
- ↑ Memeland - "Which NFT collection has hottest holders? No pic, no proof." - Twitter (Nov 22, 2022)
- ↑ Memeland - "Our moderators will be taking calls 24/7" - Twitter (Nov 22, 2022)
- ↑ Memeland - "Is it just me or is @Memeland getting more attention from the west these days?" - Twitter (Nov 22, 2022)
- ↑ Memeland - "It has taken more time than expected to finish the Stage 5 artworks." - Twitter (Nov 22, 2022)
- ↑ Memeland - "Here's the link for our Stage 5 reveal..." - Twitter (Nov 22, 2022)
- ↑ Potatoz Stage 5 Reveal Online Party - YouTube (Nov 22, 2022)
- ↑ Memelist Giveaway Partners - Google Sheets (Nov 24, 2022)
Cite error: <ref> tag with name "nftherdertwitter-9717" defined in <references> is not used in prior text.
Cite error: <ref> tag with name "mee6bottwitter-9718" defined in <references> is not used in prior text.
Cite error: <ref> tag with name "nftherdertwitter-9719" defined in <references> is not used in prior text.
Cite error: <ref> tag with name "nftherdertwitter-9720" defined in <references> is not used in prior text.