People Building 'Blockchain City' in Wyoming Scammed by Hackers (vice.com) 53
CityDAO -- the group that bought 40 acres of Wyoming in hopes of "building a city on the Ethereum blockchain" -- announced this week that its Discord server was hacked and members' funds were successfully stolen as a result. From a report: "EMERGENCY NOTICE. A CityDAO Discord admin account has been hacked. THERE IS NO LAND DROP. DO NOT CONNECT YOUR WALLET," the project's Twitter account declared. CityDAO is a "decentralized autonomous organization" that hopes to collectively govern a blockchain city, offering citizenship and governance tokens in exchange for the purchase of a "land NFT" bestowing ownership rights to a plot of land. Like many other cryptocurrency, NFT, and DAO projects, CityDAO's community lives on Discord, a popular service chiefly designed for gamers but which has become an indispensable part of the crypto ecosystem. On Discord, CityDAO issues announcements, updates, answers questions, hosts a community, and issues alerts for "land drops," or opportunities to buy NFTs that represent parcels of land.
The attack worked by compromising the Discord account of a moderator, a core-team member and early investor who goes by Lyons800. They detailed the angle of attack in a Twitter thread the following day. First, the attacker posted a doctored screenshot showing a conversation with Lyons800 in another Discord server, claiming that he was scamming people there. Lyons800 offered to prove it wasn't him and got on a voice call with the scammer, who convinced the moderator to let them inspect their console. From there, the scammer obtained Lyons800's Discord authentication token that let them hijack the account. In a tweet, Lyons800 described this as "a ridiculous security breach from Discord." From here, the scammer launched a webhook attack to exploit CityDAO and BaconDAO -- a group that describes itself as an "investors guild" that educates its members -- where Lyons800 is a co-founder. Webhooks are best thought of as tools that connect Discord servers to other websites, and are often used to send automated messages and updates.
The attack worked by compromising the Discord account of a moderator, a core-team member and early investor who goes by Lyons800. They detailed the angle of attack in a Twitter thread the following day. First, the attacker posted a doctored screenshot showing a conversation with Lyons800 in another Discord server, claiming that he was scamming people there. Lyons800 offered to prove it wasn't him and got on a voice call with the scammer, who convinced the moderator to let them inspect their console. From there, the scammer obtained Lyons800's Discord authentication token that let them hijack the account. In a tweet, Lyons800 described this as "a ridiculous security breach from Discord." From here, the scammer launched a webhook attack to exploit CityDAO and BaconDAO -- a group that describes itself as an "investors guild" that educates its members -- where Lyons800 is a co-founder. Webhooks are best thought of as tools that connect Discord servers to other websites, and are often used to send automated messages and updates.
So they pulled the rug before even starting.. (Score:4, Insightful)
Re: (Score:2)
In this case, I'd say more of a sod [wikipedia.org] pull ... :-)
Re: (Score:2)
... to build anything, using the oh-so-common excuse "it was hackers!"? Congratulations, that is the crypto-scam mastery we all want to see.
Somehow it does not surprise me that a group of people who wanted to build a blockchain community got hacked. Idiot optimists are prime targets for scammers of all sorts. They will believe anything you tell them.
Wyoming is in the US (Score:4, Insightful)
Re: (Score:1)
Maybe you've never heard of the city of Irvine, CA [wikipedia.org], entirely owned and operated by The Irvine Corporation [wikipedia.org].
Re: Wyoming is in the US (Score:2)
You do realize every city town and village in the usa is incorporated right? It is part of the process. Boston was incorporated march 19 1822 as a city
Not since it was a ranch the 1800s (Score:2)
In the 1800s, the area that in now Irvine was a ranch owned by a family. In the 1800s.
Now, it's neither "wholly owned" nor operated by the Irvine company. You can buy (and therefore own) land in Irvine just like any other city:
https://www.realtor.com/reales... [realtor.com]
It's run like most cities in California - by a city council who hires a city manager.
Not since it was a ranch the 1800s (Score:2)
In the 1800s, the area that in now Irvine was a ranch owned by a family. In the 1800s.
Now, it's neither "wholly owned" nor operated by the Irvine company. You can buy (and therefore own) land in Irvine just like any other city:
https://www.realtor.com/reales... [realtor.com]
It's run like most cities in California - by a city council who hires a city manager.
Re: (Score:2)
You're thinking people would actually build real things on real land? This is 'blockchain crypto bullshit bingo bla bla' we're talking about.
So it'll be NFTs of pictures of houses built on the NFTs of the pictures of the plots of land they're supposedly 'buying'.
Re: (Score:2)
Re:Wyoming is in the US (Score:4, Interesting)
there no need to buy a plot to access public areas
There are plenty of BLM parcels that can be accessed only from private land. There is a court case going on right now, in Wyoming even, where hunters are being being charged with trespass [backcountryhunters.org] for walking from one corner of a BLM parcel to another. Without owning adjoining land this is the only way to access many otherwise "public" lands in the Western US [trcp.org].
Re: (Score:2)
The possibility of not being able to obtain access to land you "own" is pretty ridiculous, but it's real. I once looked in to this on some "cheap" land and drew the conclusion that even if you have a good lawyer, you may not be able to obtain access to what you "own". You are at the mercy of whoever owns the route you need to traverse, and they are under no obligation to give in at any reasonable price. In theory the government can solve this with eminent domain, but even that can take forever and fail w
Re: (Score:2)
Re: (Score:3)
IANAL either; but having read some, I found that their definition of "necessity", does not include the need to make the land usable if it's already land-locked. This article [incorporated.zone] seems to imply that if you don't obtain the easement when the land is subdivided, you no longer have the "easement by necessity".
As a non-lawyer, I find the language to be really weaselly and over-weighted in favor of those who it seems ought to have to give up the easement. I read another case where somebody cut off the end of a cul-
Re: (Score:2)
This is of course OFF TOPIC for the thread... but I find it interesting, so i am going to jump in :)
In the first case where a person buys a land locked inaccessible piece of property - you mention that someone "ought to have to give up the easement". I don't see why they should. One person made a (bad?) decision to purchase land. That should not obligate someone else to give up their land. Why give up the right to control access to and privacy of their property because someone else made a purchase of a
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
The United States is a federated nation. You are both a citizen of a country, and citizen of the state in which you reside. Each state also has its own Constitution. And for the most part States and Federal government have overlapping jurisdictions with the State taking precedence in many cases. When the media reports on the work done by the Judicial branch, it is essentially to arbitrary between State and Federal jurisdiction. And examine the power of the legislature as expressed through State law and Stat
Re: (Score:2)
Re: (Score:2)
Technically the smallest enclosing sovereign entity would be the state of Wyoming, which in turn is enclosed in the larger sovereign entity of the US. This kind of joint sovereignty is possible because in theory the distribution of power established by the US Constitution follows the MECE principle: Mutually Exclusive, Collectively Exhaustive.
Because of the "collectively exhaustive" property inferior government units like counties, municipalities, and special taxation districts are creatures of the state.
Good (Score:1)
best possible outcome
if you fall for ponzi scheme (Score:1)
Re: (Score:2)
What if the Dunning-Kruger effect has lead me to believe I'm smarter than everyone else? At the very least this should be a forgivable social disability. I mean what's unreasonable about wanting an unregulated, decentralized currency without government meddling but also have the government step in to stop fraud and robbery?
Re: (Score:2)
What if the Dunning-Kruger effect has lead me to believe I'm smarter than everyone else?
Then you're at the Dunning-Kruger Peak for understanding what the Dunning-Kruger effect is.
Social Hacking at its "best". (Score:2)
A key ingredient was the social hack. Well done for a hack. Nasty.
But if you're buying 40 acres somewhere, there has to be some significant funds involved, no? And if you want to build a city out of thin air, with some newfangled blockchain currency thing (a very stupid idea IMHO), wouldn't you want to establish a watertight, service independent crypto-hardened auth/auth/ident system for rock-solid accountable and trackable transactions and fund management first? Seems logical to me.
The root of the problem
Re: (Score:2)
Hello police, I willfully handed my magic beans over to the wrong hash address, can you help.
40 acres? (Score:3)
And a mule?
Kidding aside - 40 acres is the size of one small family farm. How's a city supposed to fit in there?
Re: (Score:2)
Kidding aside - 40 acres is the size of one small family farm. How's a city supposed to fit in there?
Those "land NFTs" people purchase are highly compressed ... :-)
Yeah, it was ridiculous (Score:5, Funny)
Re: (Score:2)
exactly...
gimme access to your pc to prove you're not scamming.
sure here you go!
seriously Who does this ? this stinks of an inside job with a flimsy excuse.
Re: (Score:2)
Re: (Score:2)
Ridiculous that Lyons800 allowed a stranger to remotely access his console. Yeah, that's clearly the fault of Discord... /s
Just remember that these are the brains behind these services proposing to handle your money.
Re: (Score:2)
That's not what happened. The scammer had him open the inspection console (ctrl+shift+I) and then screenshot it and post to "verify his authenticity".
Easy enough to walk someone through to Network tab and then make sure that screenshot includes the sent headers for a message acknowledgement—which has their Discord auth token for the session.
Again, no remote access needed at all, just some social engineering.
Re: (Score:2)
I tend to not have too much sympathy for the folks who get caught up in the silly NFT craze - but really they're all lucky they learned early on that this dude has no business handling funds (real or pretend) that belong to other people.
Re: (Score:2)
The phrase "connect your wallet" was probably a warning sign for the users. What a great idea, give some rando on Discord a direct connection to your wallet.
Convoluted excuse (Score:2)
First, the attacker posted a doctored screenshot showing a conversation with Lyons800 in another Discord server, claiming that he was scamming people there. Lyons800 offered to prove it wasn't him and got on a voice call with the scammer, who convinced the moderator to let them inspect their console. From there, the scammer obtained Lyons800's Discord authentication token that let them hijack the account. In a tweet, Lyons800 described this as "a ridiculous security breach from Discord."
Potentially (and tenuously?) plausible, but sounds more like an inside job with a "story" to match, including putting the "blame" on someone else. It'll be interesting to hear about more details in the future.
Re: (Score:2)
I agree 100%
Inside job with a 'plausible' excuse
GOOD. (Score:1)
Their entire vision was to based upon sacrificing the planet to enrich themselves. This couldn't have happened to a nicer group of people.
Not sure which is more hilarious (Score:3)
Watching all these people get scammed in crypto, or the loud mouthed anti-vaxxer bodies hitting the floor.
"a ridiculous security breach from Discord" (Score:2)
In a tweet, Lyons800 described this as "a ridiculous security breach from Discord."
That's what the article says. I couldn't find that tweet myself, but there was one tweet marked as deleted. Presumably other folks told Lyons800 that sharing your console (and auth secrets) with someone will very naturally give them full access, and isn't a security breach from Discord. How does someone this ignorant of digital security decide to manage other people's digital currency? Ugh.
Re: "a ridiculous security breach from Discord" (Score:2)
To those people I say: (Score:2)
Freedom of decentralized technology! (Score:2)
I realize that out of all the weirdness in this story this may be an odd, minor one to fixate on, but:
"Like many other cryptocurrency, NFT, and DAO projects, CityDAO’s community lives on Discord
"Why is your cryptoNFTDAOCurrency project using this 'blockchain' thing?"
"Oh, you see, Blockchain is a distributed, decentralized, open system where anyone can set up their own independent node and participate, and the system is secure and cannot be manipulated or controlled by any central authority!"
"Gee,
Re: (Score:2)
I completely agree.
Any honest project should have security and decentralisation as primary concerns. The crypto space could invest in teaching their community how to protect themselves by simply setting up a DAO to help fund a small team full-time to produce education and maybe some security certifications... But the majority of projects don't care.
(Except Cardano which is apparently seeking proposals for exactly this via Catalyst).
As a side note, there are ways to avoid gas such as using another network s
Re: (Score:2)
Blockchain itself has nothing to do with crypto, it is normally based on consensus, and there is no "gas" needed to make it work. You choose your consensus method when you create the blockchain. You can have all the senior people in your group running their own servers, and set the consensus threshold.
Re: (Score:2)
(I should have said "cryptocurrency," sorry for the technical error)
Blind faith in technology by Techno-fools (Score:2)
Now they'll go to law enforcement (i.e. the "ebil gumerment") to try and track down the thieves. Hypocritical dimwits get what they deserve.
Re: (Score:2)
Re: (Score:2)
Hacked, scammed or insider ripped it (Score:1)
These "coins" are BS (Score:1)
There is nothing new about these so called electronic coins. Banks have been dealing with real coins and real money for decades and it has been electronic for decades. I can send you USD funds without a check or actual money. I could do that clear back in the 1980s without a problem. It's also real money and it's all recorded in a real ledger that stands up to an auditor's scrutiny. So it's all based on real stuff.
These "crypto" coins that are really not crypto in the first place aren't based on anything. I
Their Discord server.. (Score:2)
Every time I turn around, I keep seeing articles about a Discord server being hacked.
Sounds like folks should be dropping Discord like a bad habit or are there better ways to better secure your Discord server?
I have never used Discord, so I am genuinely curious...