Threat Description

One of the most dangerous attacks a discord can face is one from the inside. Generally, this attack happens one of two ways:

• The staff account was compromised, usually though a login token phishing scam

• The staff member decided to attack the discord for personal gain

Depending on how elevated the permissions are for the rogue staff account, the first move will be to stop anyone from taking away their power by banning any other staff accounts they can. Then, they will make official-looking announcements to a scam mint or sale that they will collect the Ethereum from before disappearing. In other words, an exit-scam.

Prevention

The first way to prevent rogue staff attacks is by being aware of how login token phishing scams work. Make sure all moderators and higher in the discord are aware of the latest schemes so they can be avoided.

Secondly, restrict the permissions that staff accounts have so that any individual staff account does not have the power to harm the discord badly. The major red flag permissions are Administrator, Manage Webhooks, Manage Roles, Ban Members, Kick Members, and Manage Channels. No hot account should have any of these permissions. Kick and Ban permissions should be delegated to a bot, which Moderators and other staff accounts can use with commands such as /kick and /ban. The other permissions should be reserved for the Admin and Owner accounts, which should only be held by the trusted, core team in cold storage. If kick and ban permissions are delegated to a bot, make sure the bot is configured such that a staff account can't ban any other staff account through the bot with /kick or /ban. Lastly, make sure that the staff accounts don't have access to the bot's configuration either. The bot account should only be configurable by the Admin or Owner account so a rogue staff member can't configure the bot to give themselves more power.

Lastly, keep the staff roles locked down. Make sure the staff accounts are vetted well and are trustworthy. Even without excessive permissions, staff members have the trust of the community and can easily scam people just by posting links to fake mint contracts or fake sales.

How to Respond to an Active Threat

Go straight to the Admin cold storage account and ban the staff member immediately using the discord ban and choose to delete all messages sent by the staff member in the previous 7 days in the ban confirmation pop-up. Next, check the Audit Log by going to Server Settings -> Audit Log. Look for any updates that the Staff account made, such as creating webhooks, creating new roles, changing permissions for existing roles, adding or removing other accounts from roles, kicking or banning any accounts, or changing any channels.

Find the beginning of the suspicious actions - the first thing the rogue staff account may have done maliciously. If a bot updated their roles before they went rogue, the bot is either compromised or misconfigured and should be kicked from the server. The bot can be invited back and reconfigured again after the situation is over - for now all that's important is identifying the source. If there's no obvious reason, it's likely the account was simply compromised or the staff member decided to exit scam the community for personal gain.