Memeland Discord Server Compromised

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Memeland

Memeland used MEE6, a widely implemented Discord bot which assists with ranking and moderation functions. MEE6 had administrative level access to a wide range of Discord servers where it was set up. One of the MEE6 employee accounts was compromised, and the attackers used that to run widespread phishing attacks on multiple NFT communities, including Memeland. The Memeland community was particularly susceptible due to the transparent lack of a concrete roadmap for the project. The NFT space often has time-sensitive opportunities. It's unclear exactly how many users were affected, and it seems that no funds have been recovered. MEE6 has apparently not published further details about what happened.

About Memeland

Having started as 9GAG in 2008, Memeland now invites people to join and contribute to their community and company through blockchain technology^[1]. "We joined 500 Startups in 2011, raised seed funding, joined Y Combinator in 2012, and never stopped shipping."^[1] Memeland NFT is a collection of 9,999 utility-enabled PFPs (Profile Picture Frames)^[2] initiated by 9GAG as they venture into the web3 space^[3]. Memeland joined OpenSea in June 2022^[4]. Memeland NFTs can be purchased on NFT marketplaces like OpenSea, LooksRare, and X2Y2^[3].

9GAG, based in Hong Kong, has a massive global audience of over 200 million^[2] on social media platforms like Instagram, Facebook, Twitter, and TikTok^[3]. Multiple famous celebrities and investors are involved in the project, such as Kevin Rose, Gary Vaynerchuk, Kevin Ma^[3], and Hong Kong tycoon Adrian Cheng^[2]. Memeland NFT is comparable to successful projects like Moonbirds, Invisible Friends, CloneX, Doodles, and the Bored Ape Yacht Club (BAYC), with similarities in having a company behind it, token systems, metaverse land, celebrity involvement, Web2 experience, and building an NFT ecosystem^[2].

Memeland is a venture studio focusing on web3 and building social products for communities^[1]. 9GAG aims to make the world happier with Memeland NFT as its first collection^[2]. Memeland's mission is to empower creators by connecting web2 and web3 communities^[2]. The project revolves around the concept of finding Memeland, a legendary treasure island known for its glory, fortune, love, and the best memes^[3]. They aim to connect creators and communities through creativity, the $MEME token, and NFTs^[1].

$MEME is the governance token and the core component of the Memeland ecosystem^[3]. $MEME is earned through holding, staking, creating content, and playing in the Memeland metaverse^[2]. The main characters of the Memeland ecosystem are the Memeland Captains, a collection of 9,999 PFP NFTs that provide long-term $MEME token rewards, exclusive event access, and club memberships^[3].

Memeland offers various utilities to its PFP holders, including private club membership, exclusive access to the creator NFT marketplace, real-life events, and upcoming projects^[2]. The distribution of the Memeland PFPs includes 6,900 winners from the 9GAG and partners allowlist, 3,000 winners from the public allowlist raffle, and 99 allocated to the Memeland Treasury^[2]. The article mentions the blind auction for "YOU THE REAL MVP," which allows the community to set the price^[2]. The final price reached 5.3 ETH, and holders of this NFT receive additional utilities^[2]. Holders of Memeland PFPs have full commercial art rights for the Memeland PFPs they own and Memeland receives 6.9% of all secondary sales^[2].

9GAG emphasize under-promising and over-delivering, acknowledging that they don't know how big Memeland will become but promising to give their best^[1]. The $MEME token is a meme coin without utility, a roadmap, promises, or financial return expectations, solely focusing on memes^[1][5][6]. 9GAG has chosen not to provide a specific roadmap for the project but focuses on their mission to connect web2 and web3 and empower creators^[3]. While it lacks a traditional roadmap, its mission and strong backing are speculated to provide the potential for significant growth^[2].

People are asking questions about @MEMELAND. Let me answer some of them.

Mint date? Not today.

Mint price? Not cheap.

Roadmap? No roadmap.

What now? Follow @MEMELAND.

We made our announcement only 1 month ago. Web3 moves fast but we are here to stay. Good things take time.

"BRING OWNERSHIP TO EVERY COMMUNITY IN THE WORLD. From the team that brought you 9GAG comes Memeland, a web3-focused venture studio. We are building and investing in social products for community, with community. We are connecting creators and communities together through creativity, $MEME, and NFTs."

About MEE6

MEE6 is a popular Discord bot trusted by millions of Discord servers worldwide for managing, entertaining, and growing their communities^[7]. As of April 2022, "Mekaverse, Doodles, CyberKongz, VeeFriends, CoolCats, and RTFKT all use MEE6 everyday to manage their Discord server. More than 60,000 NFT & crypto Discord servers setup MEE6 every month, and that number is growing fast."^[8]. The bot has been active for two years and is known for its levels and auto-moderation capabilities, as well as its paid music and record features^[9]. MEE6 is a user-friendly Discord bot that offers a range of features^[7] including custom commands, moderation tools, leveling systems, Twitch and YouTube notifications, and more^[9]. Users can personalize MEE6 by changing its avatar, name, AI-based backstory, and activity, making it fit seamlessly into their server's universe and branding^[7]. MEE6 aims to continually improve and introduce new features based on community feedback and input^[9]. The bot's developers prioritize the needs and preferences of their users, considering them the driving force behind their work^[9]. MEE6 provides support through a dedicated server and maintains a presence on platforms like GitHub^[9].

Welcome Messages can be set up to provide new members with personalized greetings and information about server rules and topics^[7]. Advanced Custom Commands allow users to automate tasks, manage roles, and send predefined messages^[7]. MEE6 also offers Twitch and Social Media Alerts, Discord Reaction Roles, a leveling and XP system, and more^[7]. It is used by a wide range of servers, including those focused on Minecraft, Roblox, PUBG Mobile, MrBeast Gaming, and others^[7]. MEE6 can also assist with server protection through auto-moderation filters and facilitate giveaways^[7]. Additionally, it offers the ability to record voice and conversations in Discord with a simple click^[7].

The Reality

Discord has a number of vulnerabilities which are commonly exploited on the platform. Default permissions enable installed software to use webhooks to post content and adjust group settings. In addition, there are a number of ways to trick administrators in groups of granting permissions, and most administrators are not security experts.

On the blockchain, transactions are irreversible, which creates an opportunity for thieves who succeed in breaching services to keep a substantial portion of their ill-gotten gains. There is no central party capable of reversing any fraudulent NFT purchases on the blockchain.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Technical Details

The hack involves compromising admin accounts and utilizing MEE6, a popular bot^[18]. The hackers create a reaction role feature from MEE6 to grant alternate accounts admin privileges, allowing them to send webhook messages while concealing the compromised admin account's identity^[18]. This makes it challenging to stop the attack. The hackers target higher-ups in projects by using collaboration requests with prominent projects or offering job opportunities^[18]. They create convincing Discord servers with fake verification bots that imitate legitimate bots like Captcha Bot or WickBot^[18]. When users interact with these fake bots, their Discord tokens are captured, granting instant access to their accounts without the need for two-factor authentication or passwords^[18].

Explanation of Attack By 777Skits

777Skits published a tweet with a breakdown of the new account hacking method being used^[18].

"MEE6 Hack" & "New Account Hacking Method"

The recent discord hacks utilizing MEE6 and compromised admin accounts:

First they will hack an admin account.

Secondly they will create a reaction role feature from MEE6 to give an alternate account admin.

Using this method, they will be able to send webbook messages while hiding who the compromised administrator account is.

Making it more difficult to stop the attack. The best way is to remove MEE6/the webbooks right away rather then trying to identify the compromised account.

So there is this new social engineering method that is very convincing:

This is targeting mainly higher ups in projects: Two things that they use, Collaboration requests with high scale projects, and offering job opportunity's.

They will seem quite convincing. They will then get you into "their" discord server. There will be a fake verification bot, this will most likely be imitating captcha bot, or wickbot. The server will have members and look very legit

Once you interact with these fake bots they will snag your discord token, giving them instant access to your account without 2FA or your password.

How to prevent?:

Always verify the legitimacy of who you are speaking with.

If you join a server and have to verify, always double check if it's the actual bot.

You can ask the person you are working with to be auto roled.

Interlock Web3 Technical Analysis

Interlock posted a technical analysis on Twitter shortly after the phishing attack started^[23].

Recent discord hacks utilizing MEE6 and compromised admin accounts...

Early morning @AxieInfinity posted a short thread warning people that MEE6 bot got compromised and a fake announcement with a malicious link went out.

But this MEE6 hack went further than just posting malicious links, apparently they compromised admin accounts with a new hacking method...

1 They will hack an admin account;

2 they will create a reaction role feature from MEE6 to give an alternate account admin;

3 Using this method, they will be able to send webbook messages while hiding who the compromised administrator account is.

Once you interact with these fake bots they will snag your discord token, giving them instant access to your account without 2FA or your password.

What can you do to prevent becoming a victim?

1 Always verify the legitimacy of who you are speaking with.

2 If you join a server and have to verify, always double-check if it's the actual bot.

3 You can ask the person you are working with to be auto roled.

List of servers hit in the last 10 hours via MEE6:

RTFKT (165k), Alien Frens (74k), Cool Cats (101k), PXN (32k), HAPE (479k), Axie Infinity (739k), PSSSD (80k), My Pet Hooligans (31k), Blockworks (6k), Moonbirds/PROOF (17k), Memeland/9GAG (238k), Magic Eden (194k), Solrarity (166k), Okay Bears (84k),The Habibiz, Lazy Lions (152k), HYUNDAI (142k), Akutars (15k), Gangster All Star (50k)

A total of 2,765,000 users. Kick MEE6 now until you hear more from reputable security specialists. THIS IS STILL ONGOING.

Fact is we need more security in #Web3!

Total Amount Lost

The total amount lost is unknown. TBD - Need to calculate this using blockchain data.

Immediate Reactions

Warnings and technical analysis were shared for the community on Twitter.

Warnings on Twitter

Multiple Twitter users stepped up to warn others about the hack^[12].

There appears to be a hack involving MEE6 circling different servers,memeland/moonbirds discord affected. Remember to never click any surprise links, Stay vigilant out there frens & watch out for any other discord hacks.

Technical Analysis

"Another tweet was shared by PeckShield, a blockchain cybersecurity firm, warning users about compromised NFT Discord Server of Memeland, RTFKT, PROOF/Moonbirds and infrastructure company Cyberconnect."

"YOUR DISCORD IS HACKED, CHECK ANNOUCEMENT, SOMEONE SENDED SCAM LINK, ALL CHANEL ARE CLOSED."

"Cyberconnect and Memeland confirmed the hack on their Twitter feeds and warned users to avoid clicking on any link on Discord. Cyberconnect caution that the project will never ask for their private keys." "Memeland also alerted users on Twitter and inside Discord, where the project posted a message saying a compromised bot posted announcements with “fake links.”"

"A team member of Memeland noted, “a discord bot (mee6) seems to be compromised across various high profile servers.” The mee6 bot is used by the server owners to automate welcome messages and inform about the server rules, events and topics."

"@NFTherder singled out the MEE6 Discord bot as problematic. This Discord plugin, used by over 18 million servers, allows users to assign roles themselves by using Discord reactions. It is also a basic moderator and can send administration messages."

"MEE6's employee account was breached & scammers used that account to execute the scams and steal eth. MEE6 support denied it for hours yesterday [before later admitting what happened]."

MEE6 released a statement after the event: "Some servers have reported MEE6 being used to post unwanted messages. There is no technical breach in our systems. This was due to one of our employee's account getting compromised. The issue is now fixed and we've taken all the steps to make sure it never happens again. We take security very seriously, and will always be committed not only to keep our systems safe but also add extra measures to protect servers from accounts being compromised."

^[27] TBD

Ultimate Outcome

Memeland published a list of giveaway partners, statistics on the number of Discords affected by the MEE6 breach were published, and the Mee6Bot went mysteriously silent for the remainder of 2022.

Memelist Publishes Partner List

Memelist published a spreadsheet with all of their giveaway partners listed to avoid any confusion in the future^[50].

Statistics On Mee6 Bot Compiled

"26 of the 70 discords [compromised in May 2022] were compromised through the @mee6bot." "Turns out there was some truth about the MEE6 compromise: MEE6 wasn't hacked itself however an employee of their company had their account breached & scammers used that account to execute their scam. Question is, did the employee fall for a phishing link or was it a bribe? Crazy."

No Tweets From Mee6Bot

The Mee6Bot Twitter account did not post further for the entirety of 2022^[51].

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

NFTHerder reports he "reached out to affected servers as well and they confirmed MEE6 hasn't shared a detailed report or offered reimbursements of misappropriated nfts/eth." "MEE6 has yet to release a detailed report." "[N]o intentions to refund. [T]hey won’t release a public statement cause scared of fud. [E]mployees can still remote access any server."

Ongoing Developments

The Memland project has continuing to promote^{[49][52][53][54]} including launching a new website^[48] and launching another stage 5 of artwork^[55][56][57]. Memeland has released collections such as "You the Real MVP" and "The Potatoz" and is also working on projects like Holders.com, GMGM.com, Stakeland, and Petsland^[1].

Launch of Potatoz NFT

9GAG has more recently launched "The Potatoz," another collection of 9,999 utility-enabled PFPs in the Memeland ecosystem^[2]. The Potatoz collection serves as a ticket into the Memeland ecosystem, with secret utilities related to MVP NFTs and $MEME tokens^[3].

Potatoz is a free-to-mint NFT collection that provides access to the Memeland metaverse, which is being developed by 9GAG^[58]. Holders of "YOU THE REAL MVP" have an allowlist for future Memeland and 9GAG projects, including three free mint spots for The Potatoz^[2].

The Potatoz introduced a "stake-to-win" mechanism called "GROW-TO-WIN," where holders can stake their Potatoz to unlock further benefits^[2][58]. Memeland aims to create a web3 ecosystem where users can participate through NFT ownership^[58]. The collection has integrated a "Grow-to-Win" mechanism, similar to staking, where staking Potatoz can lead to unique artwork and potential financial returns^[58].

The Potatoz NFT, has gained attention in the web3 space^[58]. The Potatoz have gained significant traction in secondary marketplace transactions, with a floor price of 1.45 ETH and over 9,700 ETH worth of secondary marketplace transactions completed so far^[2]. Potatoz has a trading volume of over $15 million^[58].

Individual Prevention Policies

NFT traders can avoid falling victim to fraudulent minting by carefully reviewing any requests for approval, and double checking any promotions against multiple sources. It is a good idea to always being on guard with mints that promise anything free or dramatically below reasonable market cost.

Any time that you are promised any profit or benefit in exchange for an initial payment, smart contract approval, or deposit, pay special care as to whether the entity making that offer is trustworthy, actually who they say they are, and has the means to fulfill what they're promising. There are no magic algorithms providing guaranteed returns from trading or mining. Trading on average will lose money. Mining is expensive and complex. No one is going to immediately send back more than you sent them. NFT projects will rarely announce a surprise mint in only a single location. Are you fully prepared for the event your money is kept and nothing is delivered in return?

Every approval on Web3 is an opportunity to lose all of the funds present in your wallet. Take the time to review the transaction in full. Fully check over the balance, permissions, and entire address which you are interacting with. Do not trust that your clipboard or any website front-end is guaranteed to provide an accurate address or transaction status. Always perform a test transaction prior to the first high-value transaction in any session.

Private keys can be obtained through seed phrases, mnemonics, private key files, mobile synchronization screens, wallet export features, wallet backups, etc... Never ever send these to anyone else who you do not intend to allow to take all of your money. Attackers will use a wide variety of tactics to convince you like pretending to be your wallet software, pretending they work for the wallet software, or asking you to screen share. Don't fall for them.

Avoid the use of smart contracts unless necessary. Minimize the level of exposure by removing or withdrawing assets whenever possible. Aim to choose smart contracts which have obtained third party security audits, preferably having been audited by at least three separate reputable firms. Pay attention to the audit reports, which smart contracts are covered, and whether the smart contract has been upgraded or modified since the report. Ensure that any administrative functions with the ability to remove funds from the smart contract are under the authority of a multi-signature wallet which is controlled by at least three separate and reputable entities.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Discord is a common source of vulnerabilities, and requires special care when setting up. If platforms choose to use Discord for communications, their setup should be evaluated by a relevant expert. Access to post new messages should never fall under the control of a single employee or external system.

To prevent falling victim to such attacks as a Discord administrator, it is important to verify the legitimacy of individuals you interact with and be cautious when verifying on Discord servers. Additionally, checking if the bot is genuine and requesting auto-role verification from the person you are working with can help.

All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.

A secondary strategy for platforms would be to increase the ability for users to detect the fraudulent websites or minting offers. Never take for granted the limited knowledge of users of your service and their tendency to skip past provided information. It is recommended to design a simple tutorial and quiz for new users which explains the basics of seed phrases, strong password generation, secure two-factor authentication, common fraud schemes, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space. This tutorial and quiz should ensure their understanding and be a standard part of the sign-up or download process which is difficult or impossible to skip.

Finally, platforms should have some funds set aside to assist with users who fall victim to phishing. Since this can be challenging for small firms to set aside a large treasury and verify the legitimacy of most phishing attacks, the ideal solution would be to pool funds and resources together in an industry insurance fund model.

Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

The primary strategy for regulators should focus around education for new participants in the space, to ensure a greater understanding. Better security would make it harder to have a Discord breached. An industry insurance fund can serve in the event that all of these measures fail.

Create a standard tutorial and quiz for all new cryptocurrency participants, which is required to be completed once per participant. This tutorial and quiz should cover the basics of proper seed phrase protection, strong password generation, secure two-factor authentication, common fraud schemes, how to detect and guard against phishing attacks, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space.

All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.

Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

Cite error: <ref> tag with name "mee6-9715" defined in <references> is not used in prior text.
Cite error: <ref> tag with name "discords-9716" defined in <references> is not used in prior text.
Cite error: <ref> tag with name "nftherdertwitter-9717" defined in <references> is not used in prior text.
Cite error: <ref> tag with name "mee6bottwitter-9718" defined in <references> is not used in prior text.
Cite error: <ref> tag with name "nftherdertwitter-9719" defined in <references> is not used in prior text.
Cite error: <ref> tag with name "nftherdertwitter-9720" defined in <references> is not used in prior text.
Cite error: <ref> tag with name "chox3twitter-9728" defined in <references> is not used in prior text.
Cite error: <ref> tag with name "unknown-5676" defined in <references> is not used in prior text.
Cite error: <ref> tag with name "777skitstwitter-9737" defined in <references> is not used in prior text.
Cite error: <ref> tag with name "memelandtwitter-9752" defined in <references> is not used in prior text.