Pikagi
Jacob H. Profile Banner
Jacob H. Profile
Jacob H.

@lukenamop

18,005
Followers
169
Following
70
Media
728
Statuses

I'm a Discord security specialist (auditor & builder). I also develop Discord bots like Server Supervisor. Schedule a call:

United States
Joined August 2020
Don't wanna be here? Send us removal request.
Pinned Tweet
@lukenamop
Jacob H.
@lukenamop
1 year
๐Ÿ“Œ Megathread of my bots and other services ๐Ÿ“Œ Iโ€™m both a Discord security auditor and a Discord bot developer, use this thread to find links to everything I have to offer!
151
663
1K
Last Seen Profiles
URherePodcast

@URherePodcast

Weston Thomas

@Weston_Thomas24

The Lancet Gastroenterology & Hepatology

@LancetGastroHep

Riccardo Luna

@RiccardoLuna

ใ†ใˆใกใ‚“๐ŸŒฝ

@uechin_ewokaku

Issmail Dors

@Nickdanaii21185

ู…ุงูŠุง

@mayeali77

Maddie Bender

@MaddieOBender

ุฌูŠู…

@_mowr

ุงู„ู€ู€ู†ู€ู€ุจู€ู€ุฑุงุณ

@alnebras_Ali

animasi_indie

@animasi_indie

shel

@sellayom

Thomas Huber MdL

@huber_ebe

Lia ๐Ÿ€

@hermeseven

MFET Official

@MfetOfficial

Raja Binor Stw

@BinorRaja

๐ŸŒผเธชเธ•เธฒเธ‡เธ„เนŒเธ‚เธญเธ‡เธ‹เธต๐Ÿฉต๐ŸŒŠft.เธ™เน‰เธญเธ‡เธ„เธขเธญเธก๐ŸŽ€

@Real_satang

S. Lizama ๐Ÿ’ฅ

@slizana25

Vera's Eyecandy

@veraseyecandy

She Paints โ€ฆ

@WordslnRed

๊ฐœ์ฃฝ์ด ๊ทธ ์žก์ฑ„

@pyoungya___

KatEvolved

@katevolved

mavi

@pttonkin

Solid State and Structural Chemistry Unit

@sscu_iisc

ใ‚ฌใƒใƒฃM

@gripen_mukku

mayatearsricochet chicagon3 amsterdam n3

@maya91405

AGU Ecohydrology

@AGUecohydro

ๆœตๆ‹‰๐Ÿ‘๐Ÿ‘

@Dora_03_03_

๐“™๐“พ๐“ผ๐“ฝ ๐‘ฐ๐–‘๐–Š๐–†๐–“๐–† ๐‘อœเจผ

@BITCH1MODEL

TV Series Expert

@TVSshow

ๆ‚ฒใ—ใใƒขใƒณใ‚นใ‚ฟใƒผๆœ‰็”ฐๆฐธ้ 

@ped8NvmoIGHyXCg

Alpha Scaffolding Services

@AlphaScaffold

Dextools Trends

@Dexcryptos

Ch Kashif Ali Arain

@ChKashifArain

Adam Hulme

@system_complex

NAVI SoMarcus

@_SoMarcus

@lukenamop
Jacob H.
@lukenamop
2 years
๐Ÿšจ I was just targeted by the same hackers that compromised Giveaway Boat and MEE6 ๐Ÿšจ I didn't fall for it, my account is safe, and my bots were not compromised. I even reset my Discord password after interacting just to be 100% sure. Here's how they're targeting bot staff ๐Ÿงต๐Ÿ‘‡
10
97
187
@lukenamop
Jacob H.
@lukenamop
2 years
Hey, you! Is your project new to Discord? Do you want a secure Discord server but you donโ€™t want to spend the money on a "Discord audit"? Here's a ๐Ÿงต explaining how to do it in 3 simple steps ๐Ÿ‘‡
8
52
169
@lukenamop
Jacob H.
@lukenamop
2 years
๐Ÿ” Ledger Nano X Giveaway ๐Ÿ” ๐Ÿ“Œ Having a hardware wallet is an essential part of keeping your NFTs and crypto safe! โ„น๏ธ To enter: 1) Like and RT 2) Follow @lukenamop 3) Tag 2 friends that are new to NFTs I will contact the winner in 3 days!
Tweet media one
23
23
139
@lukenamop
Jacob H.
@lukenamop
3 years
1/ There's a new phishing attack for NFT admin/mod Discord auth tokens going around, hacking/exploiting servers to post fake minting announcements. Recent victims include @catsinthecups , @wolfdotgame , and @wendropio . Read the ๐Ÿงต for more info on protecting your community ๐Ÿ‘‡
8
73
145
@lukenamop
Jacob H.
@lukenamop
2 years
#ProjectAtmos holders will be getting a free pfp drop sometime this month... I just swept 5 NFTs off the floor of @ProjectAtmos and I'm going to sweep 1 more for every 5 retweets this exclusive sneak peek gets! Check out the genesis project here (DYOR):
Tweet media one
14
74
106
@lukenamop
Jacob H.
@lukenamop
2 years
I think I've swept 45 @ProjectAtmos NFTs by now - way more than I had to, but I love them too much to stop! I'll drop #5550 (double Bad RV) + a random floor piece to whoever sweeps the most in the next hour. DM me your wallet address if you participate!
@lukenamop
Jacob H.
@lukenamop
2 years
#ProjectAtmos holders will be getting a free pfp drop sometime this month... I just swept 5 NFTs off the floor of @ProjectAtmos and I'm going to sweep 1 more for every 5 retweets this exclusive sneak peek gets! Check out the genesis project here (DYOR):
Tweet media one
14
74
106
8
29
87
@lukenamop
Jacob H.
@lukenamop
2 years
Okay, I never post about NFTs I buy, but these banners are from Project Atmos Genesis by @bloqparty_nft and I gotta say, Iโ€™m a huge fan! Iโ€™m the proud owner of these 4 ๐Ÿ”ฅ
Tweet media one
Tweet media two
Tweet media three
Tweet media four
4
11
78
@lukenamop
Jacob H.
@lukenamop
2 years
So... I just did a thing... I love the lavender, and the F11, and everything else about this NFT. I'm so proud. @ProjectAtmos #ProjectAtmos
Tweet media one
17
14
80
@lukenamop
Jacob H.
@lukenamop
1 year
If someone asks you to test their P2E game on - donโ€™t get tricked into thinking that itโ€™s safe just because itโ€™s on an domain. Apps and games on TestFlight do NOT go through Appleโ€™s App Store review process. They can be malicious.
Tweet media one
2
16
52
@lukenamop
Jacob H.
@lukenamop
2 years
Servers hit in the last 8 hours via MEE6: RTFKT (165k) Alien Frens (74k) Cool Cats (101k) PXN (32k) HAPE (479k) Axie Infinity (739k) PSSSD (80k) My Pet Hooligans (31k) Blockworks (6k) Moonbirds/PROOF (17k) Memeland/9GAG (238k) Magic Eden (194k)
9
37
65
@lukenamop
Jacob H.
@lukenamop
2 years
โš ๏ธ ๐——๐—ข ๐—ก๐—ข๐—ง "drag buttons to your bookmark bar" to "verify" on Discord. โš ๏ธ Honestly, don't ๐˜ฆ๐˜ท๐˜ฆ๐˜ณ leave Discord to visit ๐˜ข๐˜ฏ๐˜บ link. 6 months later, bookmarklet phishing is still one of the primary things scammers are using to compromise Discord servers. Details below ๐Ÿ‘‡
Tweet media one
Tweet media two
@lukenamop
Jacob H.
@lukenamop
3 years
3/ The end goal is to invite you to a very legit-looking server, take you through a fake verification link, and run code in your browser using what's called a "bookmarklet" to snag your Discord auth token (bypassing your password and even 2FA). This video shows how it works:
2
4
37
1
22
59
@lukenamop
Jacob H.
@lukenamop
2 years
๐Ÿค– Now announcing: Wallet Collector Discord bot! Wallet Collector is a FREE bot which allows you to collect wallet addresses on Discord and export them to a spreadsheet. Share to anyone who might need this! The bot doesnโ€™t need ANY special permissions.
Tweet media one
12
19
62
@lukenamop
Jacob H.
@lukenamop
2 years
Another day, another free Discord tool: In-channel captcha verification! โŒ No more directing your users to click links โŒ No more asking your users to open their DMs โœ… Verification handled privately, directly in your server! โœ… Free, forever
10
24
58
@lukenamop
Jacob H.
@lukenamop
3 years
1/ So, let's recap tonight's events. $2m+ (600+ ETH) of stolen NFTs, originally attributed to an exploit in OpenSea's new listing contract. Here's a ๐Ÿงต on what we know, what we don't know, and some of the current best guesses as to what may be happening.
3
25
57
@lukenamop
Jacob H.
@lukenamop
2 years
Over 12 hours later, the truth comes out! MEE6 staff have the remote ability to use MEE6 to give themselves roles in any server.
@mee6bot
MEE6
@mee6bot
2 years
Some servers have reported MEE6 being used to post unwanted messages. There is no technical breach in our systems. This was due to one of our employee's account getting compromised. โœ… The issue is now fixed and we've taken all the steps to make sure it never happens again.
175
242
807
9
13
48
@lukenamop
Jacob H.
@lukenamop
2 years
๐Ÿ‘€ Discord Pro-Tip ๐Ÿ‘€ If youโ€™re making an announcement in your server, put your @ everyone ping at the very end of the message rather than the beginning! On mobile, Discord notifications only include the first 2 lines. This way, the notification can include actual content.
5
9
48
@lukenamop
Jacob H.
@lukenamop
2 years
โ›” DO NOT open "Developer Tools" or "Console" on your browser. EVER. โ›” RT and share. Sc @mmers have found a new way to snag your Discord credentials using these tools. Details below ๐Ÿ‘‡
3
27
48
@lukenamop
Jacob H.
@lukenamop
2 years
Hey @OthersideMeta , I see your Discord has been compromised. Please reach out to me, @Jon_HQ , @Plumferno , or @GrassyEth . Weโ€™re happy to help you recover at no charge and we can also run a full audit to upgrade your security protocols. Check out our profiles for more information.
6
5
46
@lukenamop
Jacob H.
@lukenamop
2 years
โญ What should you expect from a quality Discord audit?โญ This is what a Discord server security audit report looks like. Each one is 8+ pages long, detailing all changes made to secure the server. This report follows a format that I developed with @Jon_HQ and @GrassyEth .
Tweet media one
1
7
43
@lukenamop
Jacob H.
@lukenamop
2 years
๐Ÿ“Œ Discord security breaches aren't slowing down. I wanted to build something free to help all servers: Server Supervisor Discord bot โœ… Monitors & logs every webhook update โœ… Option to delete existing webhooks โœ… Option to filter verified bot webhooks
Tweet media one
6
11
40
@lukenamop
Jacob H.
@lukenamop
3 years
You may know me from the HENI NFT Discord - I'm also a Discord bot developer and I've created a verified bot called Spam Defender to protect NFT servers from spam and scams. Check out all the info here and tell your friends: #Discord #NFTCommunity
Tweet media one
5
11
36
@lukenamop
Jacob H.
@lukenamop
3 years
3/ The end goal is to invite you to a very legit-looking server, take you through a fake verification link, and run code in your browser using what's called a "bookmarklet" to snag your Discord auth token (bypassing your password and even 2FA). This video shows how it works:
2
4
37
@lukenamop
Jacob H.
@lukenamop
1 year
Shoutout to @LemonGF for asking the question. I found a few articles from 2022 reporting cases of malware and scams being distributed via TestFlight:
Tweet card media
Scammers have 2 clever new ways to install malicious apps on iOS devices

Getting past the App Store gatekeeper has always been tough. Here are two new ways.

arstechnica.com
1
5
29
@lukenamop
Jacob H.
@lukenamop
2 years
Iโ€™m proud to announce my proprietary security bot, Server Supervisor, is officially Discord verified! If youโ€™d like to learn more about how it works or get it set up in your server, you can check it out here:
Tweet media one
9
9
35
@lukenamop
Jacob H.
@lukenamop
1 year
My Discord bot, Spam Defender, has been acquired by @HashbotOfficial , and Iโ€™ll be joining their team as a Project Manager! Iโ€™m very excited for what this means for every community that depends on both SD & HB to keep their servers free from impersonators and scammers ๐Ÿ”’
@HashbotOfficial
Hashbot
@HashbotOfficial
1 year
๐Ÿค We're proud to welcome Spam Defender founder @lukenamop to the team as Project Manager. Welcome aboard!
1
0
8
15
2
34
@lukenamop
Jacob H.
@lukenamop
2 years
๐Ÿ‘ Enable ๐Ÿ‘ 2FA ๐Ÿ‘ on ๐Ÿ‘ Discord ๐Ÿ‘ Yes, Discord authentication token compromises bypass any 2FA you might have. However, there are 2 things an auth token *canโ€™t* bypass if you have 2FA enabled: 1) Transfer Server Ownership 2) Delete Server
1
12
31
@lukenamop
Jacob H.
@lukenamop
3 years
Iโ€™m going live with @QueenyMartha this coming Monday to talk about Discord security, specifically for NFT servers. Iโ€™ll have some tips for general users as well as some for project managers, and weโ€™ll do a Q&A! I hope to see you there!
2
8
28
@lukenamop
Jacob H.
@lukenamop
2 years
Taking down malicious phishing sites left and right ๐Ÿ™ Stay vigilant. If youโ€™re targeted by these sc @mmers , please send malicious Discord invites and URLs my way via DM and Iโ€™ll follow up to get their shit shut down.
Tweet media one
Tweet media two
Tweet media three
Tweet media four
1
5
30
@lukenamop
Jacob H.
@lukenamop
3 years
Casual self doxx. Iโ€™m Jacob, nice to meet you!
Tweet media one
5
0
26
@lukenamop
Jacob H.
@lukenamop
2 years
The most secure NFT <-> Discord verification bot on the market, @VulcanAuth , just got a huge update! Now you can migrate roles that you're managing through other bots into Vulcan. No more starting over from scratch!
Tweet media one
1
4
26
@lukenamop
Jacob H.
@lukenamop
2 years
5/ Some info, if you want to check your servers to see if any of these scammers/hackers are present. "Staff" user IDs: 959568833331474472 622545616265936896 759990948208967730 847293369553518623 292379315214090241 959569775372144660
1
7
26
@lukenamop
Jacob H.
@lukenamop
2 years
7/ Please share this thread to warn as many people as possible. These hackers have been targeting NFT server staff for months but they just recently started targeting Discord bot staff. Stay safe out there friends.
0
4
26
@lukenamop
Jacob H.
@lukenamop
2 years
Thanks for the custom @angy_chubbies NFT! My username everywhere is "lukenamop," aka "luke and a mop," and this artist perfectly captured what I was looking for. Now I can clean up the web3 universe, with mop in hand, in true chubby fashion!
Tweet media one
6
2
26
@lukenamop
Jacob H.
@lukenamop
2 years
Step 2/ Learn the ins and outs of your Discord bot options. This requires ๐—ฟ๐—ฒ๐—ฎ๐—ฑ๐—ถ๐—ป๐—ด ๐˜๐—ต๐—ฒ ๐—ฑ๐—ผ๐—ฐ๐˜€ and ๐—ฑ๐—ผ๐—ถ๐—ป๐—ด ๐˜†๐—ผ๐˜‚๐—ฟ ๐—ผ๐˜„๐—ป ๐˜๐—ฒ๐˜€๐˜๐—ถ๐—ป๐—ด. There are important security bots: - Wick - Server Supervisor - Spam Defender - Good Knight - Hashbot / Beemo - Sledgehammer
Tweet media one
1
3
24
@lukenamop
Jacob H.
@lukenamop
2 years
Solrarity (166k) Okay Bears (84k) The Habibiz Lazy Lions (152k) HYUNDAI (142k) Akutars (15k) Gangster All Star (50k) A total of 2,765,000 users. Kick MEE6 now until you hear more from reputable security specialists. THIS IS STILL ONGOING.
3
5
24
@lukenamop
Jacob H.
@lukenamop
2 years
My Server Supervisor bot has a new (mobile friendly) captcha style! Try it out for yourself or read more at
1
4
23
@lukenamop
Jacob H.
@lukenamop
3 years
2/ The predators behind this exploit spend multiple days developing relationships and building trust. It's important to stay on your toes, even while building what may seem like a real relationship! There are a few red flags ๐Ÿšฉ to look for which I'll point out.
2
0
23
@lukenamop
Jacob H.
@lukenamop
2 years
Looking for a bot to privately and securely collect whitelist/allowlist wallet addresses on Discord? Iโ€™ve got one in early beta testing, to be released to the public soon! Contact me for early access ๐Ÿ‘€
Tweet media one
Tweet media two
13
7
23
@lukenamop
Jacob H.
@lukenamop
3 years
Happy New Year, everyone! May 2022 bring peace and good fortune to all. My resolution is to do everything in my power to keep NFT #Discord safe by sharing security tips/tricks and continuing to develop the Spam Defender bot into the ultimate #NFTCommunity protection machine.
1
1
22
@lukenamop
Jacob H.
@lukenamop
2 years
Congrats to @astrostleth ! I just sent #5550 and #6896 to your wallet ๐Ÿ™Œ
2
0
23
@lukenamop
Jacob H.
@lukenamop
2 years
Step 1/ Learn the interaction of every permission on Discord (in both role and channel settings). Here's a quick-start guide: Make sure to check every role and every channel to be sure nothing slips through. (This includes bots - don't give them Admin!)
Tweet media one
2
1
22
@lukenamop
Jacob H.
@lukenamop
2 years
To be clear, this is not a new technique. Clicking the image itself isnโ€™t an issue. The issue lies in clicking the โ€œView Originalโ€ link, which will take you to a website and *then* access your token. Continue to use normal levels of caution when interacting with links and files.
@LetzSmash_SSB
Letz Smash ๐Ÿ‡ฑ๐Ÿ‡บ
@LetzSmash_SSB
2 years
โš ๏ธNew Discord Hack Techniqueโš ๏ธ If you received a DM with a picture not loading; DO NOT OPEN IT ! It will steal your Discord session Token and let the hacker change your password and use your account freely The A2F does not protect against ! Report suspect activity to admins
Tweet media one
125
2K
2K
0
14
20
@lukenamop
Jacob H.
@lukenamop
2 years
3/ I didn't click any links or leave Discord at any time. I'm trained to recognize these scams so I was careful the entire time. While I was there, I saw the "staff" (aka hackers) were targeting a bunch of other bot support servers. STAY ON YOUR TOES.
Tweet media one
1
4
21
@lukenamop
Jacob H.
@lukenamop
3 years
4/ How would you end up at this point in the first place? Someone will reach out offering to hire your or collab with you. They'll probably sound "too good to be true" (๐Ÿšฉ #1 ). Over time they'll show you what looks like a legit website and a large Twitter account.
1
0
20
@lukenamop
Jacob H.
@lukenamop
3 years
Damien Hirst's NFT Initiative, Which Asks Buyers to Choose Between a Digital Token and IRL Art, Has Already Generated $25 Million | Artnet News
2
3
21
@lukenamop
Jacob H.
@lukenamop
3 years
๐Ÿคฏ Spam Defender banned 7,455 spammers before they could get into the @HENIGroup Discord just nowโ€ฆ Absolutely insane!
Tweet media one
1
2
20
@lukenamop
Jacob H.
@lukenamop
2 years
โ€œOut of 3,207 [apps leaking Twitter API keys], 230 are leaking all four authentication credentials and can be used to fully take over their Twitter Accounts and can perform any critical/sensitive actions.โ€ Revoke access here:
Tweet card media
Researchers Discover Nearly 3,200 Mobile Apps Leaking Twitter API Keys

Researchers have uncovered a list of 3,207 apps, some of which can be utilized to gain unauthorized access to Twitter accounts.

thehackernews.com
2
11
19
@lukenamop
Jacob H.
@lukenamop
2 years
If you reset all staff Discord passwords and delete all existing webhooks then the current hackersโ€™ access will be fully revoked and you can start recovery.
2
1
19
@lukenamop
Jacob H.
@lukenamop
2 years
1.1/ Make sure dangerous permissions aren't assigned to ๐˜ข๐˜ฏ๐˜บ๐˜ฐ๐˜ฏ๐˜ฆ, not even staff, and make sure critical staff have secondary "Cold Admin" accounts. See the quoted thread from @Jon_HQ for more info on why this is necessary and how to set it up:
@Jon_HQ
Jon_HQ
@Jon_HQ
2 years
๐Ÿšจ Jon_HQ Cold Discord Admin Protocol v.1 ๐Ÿšจ Something I've been having troubles with explaining to teams is both the setup and usage of Cold Discord Admins for an NFT project. So here is my guide on both setup, and usage, for free, as always โ™ฅ๏ธ
5
20
65
1
1
21
@lukenamop
Jacob H.
@lukenamop
2 years
Ever had a verification bot "break" when too many people try to join? Here's how you can improve this in your server ๐Ÿ‘‡ MEE6 and other "reaction role" bots slow down when too many people try to use them:
3
8
20
@lukenamop
Jacob H.
@lukenamop
2 years
I noticed a server in the wild which failed to protect their invite URL as outlined in this very brief thread, so I parked their invite URL for them. Please, make use of this tip! The chance of a friend catching your mistake before scammers do is very low!
Tweet media one
@lukenamop
Jacob H.
@lukenamop
2 years
๐Ÿ”’ Discord Security Tip ๐Ÿ”’ Opening & closing a server gives scammers a chance to โ€œstealโ€ your invite URL and trick people into joining the wrong server. If you use a vanity URL, you need a 2nd server at full boost level to โ€œparkโ€ your invite URL when you arenโ€™t using it.
1
4
14
2
6
19
@lukenamop
Jacob H.
@lukenamop
2 years
2.1/ Then there are general use/utility bots: - Dyno - ProBot - Carl - YAGPDB - Xenon - Logger - Invite Tracker - Craig - Giveaway Boat - Giveaway Bot - Ticket Tool - Tickets - Tweetshift - Pingcord - Statbot - pฬถlฬถeฬถaฬถsฬถeฬถ ฬถnฬถoฬถtฬถ ฬถMฬถEฬถEฬถ6ฬถ
Tweet media one
2
2
19
@lukenamop
Jacob H.
@lukenamop
2 years
I'm back with another useful YAGPDB custom command! This one will let you bulk assign a role to up to 45 members at a time. It works with both @ mentions and raw user IDs. You can copy the code here:
Tweet media one
Tweet media two
4
2
17
@lukenamop
Jacob H.
@lukenamop
3 years
Another #NFT #Discord security audit complete, this time for @RedKiteNFT ! They brought me in a few days ago to help secure everything for their community. I left them 4 pages of notes, but thatโ€™s one of the โ€œeasierโ€ audits Iโ€™ve done lately! ๐Ÿ™Œ
2
0
18
@lukenamop
Jacob H.
@lukenamop
2 years
If you missed our chat today we discussed security, audits, bots, alternate platforms to Discord, how to protect servers, and just generally shared as many tips as possible. Weโ€™re going to try to do this weekly! Most likely Fridays at 8pm US EST.
1
2
19
@lukenamop
Jacob H.
@lukenamop
2 years
Scammers can use bots to hide scam links behind real links. Never trust links on Discord, especially if they're sent by a bot. This scam will steal your Discord authentication token, which even bypasses 2FA. All project staff are targets of this scam.
2
4
16
@lukenamop
Jacob H.
@lukenamop
2 years
@wealthhhhhh My banner from @ProjectAtmos , all the way!
Tweet media one
3
0
18
@lukenamop
Jacob H.
@lukenamop
2 years
2.2/ And you also have your web3 bots: - Vulcan - Collab Land - Whop - Guild xyz - Alpha Bot - Wallet Collector - Boto - assorted price trackers
Tweet media one
1
1
18
@lukenamop
Jacob H.
@lukenamop
2 years
โš ๏ธ ๐—จ๐—ฝ๐—ฑ๐—ฎ๐˜๐—ฒ ๐—”๐—ฝ๐—ฝ๐—น๐—ฒ ๐——๐—ฒ๐˜ƒ๐—ถ๐—ฐ๐—ฒ๐˜€ ๐—”๐—ฆ๐—”๐—ฃ โš ๏ธ One of these exploits can be triggered by "maliciously crafted web content [that] may lead to arbitrary code execution." Don't sleep on this. If you have an Apple device, you're being targeted by these exploits.
Tweet media one
2
7
18
@lukenamop
Jacob H.
@lukenamop
2 years
6/ These are the primary phishing attempts we're seeing from hackers like this: 1: Scanning a QR code (usually via a fake Wick bot). 2: Asking you to drag a "bookmarklet" (aka button) into your browser's bookmark bar to verify.
2
4
18
@lukenamop
Jacob H.
@lukenamop
2 years
4/ I've already let these bot servers know they're being targeted, but I still recommend reducing the total bots you're using and limiting permissions of the bots you're using to the minimum they can possibly have while still functioning properly.
2
2
18
@lukenamop
Jacob H.
@lukenamop
2 years
Discord Transparency Report: โ€œOne notable trend is that accounts disabled for authentication token theft rose by 740% (in Q3 and Q4 2021).โ€ Itโ€™s clear Discord is aware of the hacks on their platform. Hopefully they take steps to protect communities.
Discord Transparency Report: July โ€“ December 2021

This Discord transparency report covers July to December 2021.

discord.com
1
4
18
@lukenamop
Jacob H.
@lukenamop
2 years
@NFTherder @minibossgrl @wallet_guard @Server_Forge ServerForge is a gathering of independent individuals, and @wallet_guard is a member of ServerForge. As am I.
0
0
17
@lukenamop
Jacob H.
@lukenamop
2 years
The official OpenSea Discord server was compromised a few hours ago. EVERY SERVER can be hacked, no matter how professional your team is. The best way to reduce the chance of compromise is to bring in a full-time security specialist to perform an in-depth audit.
Tweet media one
3
3
16
@lukenamop
Jacob H.
@lukenamop
2 years
1/ A user joined my Spam Defender support server and immediately DMed me asking to "collab" (๐Ÿšฉ #1 ). They directed me to open a ticket in their server (๐Ÿšฉ #2 ). The server's "verification" had two steps. The first step was a typical "reaction role" button.
Tweet media one
2
2
17
@lukenamop
Jacob H.
@lukenamop
2 years
... ๐—ผ๐—ฟ ... you could save yourself hours, days, WEEKS, of work by bringing in an auditor who spends every day doing everything I've detailed in this thread. Well-reviewed auditors may not be cheap, but they can jumpstart your community and provide lasting protection.
1
1
16
@lukenamop
Jacob H.
@lukenamop
3 years
5/ If you look closely you might notice that they aren't followed by anyone you're following (๐Ÿšฉ #2 ) or that their account is even stolen/purchased (๐Ÿšฉ #3 ). See the screenshot in this Tweet:
@Jon_HQ
Jon_HQ
@Jon_HQ
3 years
Another tweet coming out very shortly about today's compromises, but here are two little red flags to look out for if an NFT project approaches you about a collaboration... This twitter account is a scam, if you join their Discord it'll try to get you to verify and phish you.
Tweet media one
1
8
32
1
1
16
@lukenamop
Jacob H.
@lukenamop
2 years
โš ๏ธ DISCORD SECURITY ALERT The "Manage Roles" permission gives Discord mods the ability to enable this permission for roles in your server, even if they *don't* have "Mention Everyone" perms. IF MODS HAVE "MANAGE ROLES", THEY HAVE THE ABILITY TO @ YOUR VERIFIED ROLE.
Tweet media one
3
6
18
@lukenamop
Jacob H.
@lukenamop
3 years
10/ With new forms of phishing exploiting big-name projects left and right, it's important to stay ahead of the game. Find sources you trust and follow them for more info like this. I personally like @Jon_HQ , @Plumferno , @ddotFi , @wilxlee to name a few.
0
2
16
@lukenamop
Jacob H.
@lukenamop
2 years
Hereโ€™s the first Tweet in the thread if you want to give it some love:
@lukenamop
Jacob H.
@lukenamop
2 years
Hey, you! Is your project new to Discord? Do you want a secure Discord server but you donโ€™t want to spend the money on a "Discord audit"? Here's a ๐Ÿงต explaining how to do it in 3 simple steps ๐Ÿ‘‡
8
52
169
0
1
15
@lukenamop
Jacob H.
@lukenamop
2 years
@alsaai_eth @NFTherder Hotshot says he blurred out the context "to shine a light on the behavior, not calling out the ppl or project involved." I, for one, am happy to be associated with the words I've written. Here's the full context.
Tweet media one
@Jon_HQ
Jon_HQ
@Jon_HQ
2 years
Sharing information in this space is vital. Both members in the quoted tweet are in @Server_Forge All my homies love @Server_Forge
21
10
51
1
2
16
@lukenamop
Jacob H.
@lukenamop
2 years
2/ The second step was a fake external link that asked me to add a bookmarklet to my browser (๐Ÿšฉ #3 ) and then click it to verify and join the server.
Tweet media one
1
2
15
@lukenamop
Jacob H.
@lukenamop
2 years
1.3/ User roles should be sorted from highest permissions to lowest permissions. "Vanity roles," to give cool colors or titles, should have no permissions. In general, channels should not have any explicit โœ…/โŒ permissions except "View Channel" and "Send Messages."
1
1
15
@lukenamop
Jacob H.
@lukenamop
2 years
Flashy graphics and marketing tactics don't replace detailed written reports. Look for someone who will be available to help you as things evolve long-term. Someone like @Jon_HQ , @Plumferno , or one of the many other auditors contributing to the public @Server_Forge community.
1
1
14
@lukenamop
Jacob H.
@lukenamop
2 years
@Jon_HQ @Server_Forge ServerForge is one of the most unique communities Iโ€™ve ever been privileged to be a part of. Itโ€™s so incredible to see info and resources spread far and wide by every member of the group. Keep up the good work, everyone ๐Ÿ™Œ
0
1
14
@lukenamop
Jacob H.
@lukenamop
2 years
1.2/ Aside from explicit permission settings, you also need to give some attention to the role order (or hierarchy). If this is wrong, all your hard work setting permissions would be for naught. Bots should be no higher on the role list than they need to be.
1
1
16
@lukenamop
Jacob H.
@lukenamop
2 years
This is the last tweet in a thread from Giveaway Boat detailing how the dev was compromised (fake verification bookmarklet scam) and how the hacker was able to use the bot (โ€œevalโ€ command that may have exposed the botโ€™s token). This is โ€œresolved,โ€ but I wonโ€™t use this bot again.
@giveaway_boat
Giveaway Boat
@giveaway_boat
2 years
As for how they got access to the bot's token when I had 2FA enabled, the only likely way is that they used eval command in the bot using my account, which is a cmd that many devs use to run codes privately. This might be the only way they could get token, I've removed it now!
2
0
7
2
4
14
@lukenamop
Jacob H.
@lukenamop
3 years
6/ When you're starting to think they might be trustworthy, they'll invite you to check out their Discord and help you through their fake "verification" process, stealing your auth token. As soon as they have your token they have full access to your account, even if you have 2FA.
3
0
14
@lukenamop
Jacob H.
@lukenamop
1 year
๐Ÿค– Wallet Collector bot - Collect wallet addresses on Discord - Export submitted addresses to a csv spreadsheet - Only allow users in specific roles to submit their wallets - Does not require any server permissions Docs & Invite: Price: Free
2
4
12
@lukenamop
Jacob H.
@lukenamop
2 years
Made it this far? Still want to do it yourself? Contact me or @Server_Forge and we can connect you with further resources!
3
2
14
@lukenamop
Jacob H.
@lukenamop
1 year
๐Ÿ”’ Discord Security Audit Service - Audit & update all settings, permissions, roles, and channels - Audit & update existing bots - Set up additional security bots More info: Message me or schedule a free introductory call at
1
3
11
@lukenamop
Jacob H.
@lukenamop
2 years
๐Ÿ”’ Discord Security Tip ๐Ÿ”’ A day or so before your mint (or other scheduled events), have all of your moderators and team members reset their passwords. Even if they have 2FA! This will reset their Discord auth tokens and boot out hackers lying in wait.
4
4
15
@lukenamop
Jacob H.
@lukenamop
2 years
Official update from the @Ticket_Tool developer:
Tweet media one
4
6
14
@lukenamop
Jacob H.
@lukenamop
1 year
Incredible to see Wallet Guard continuing to improve on their protection services. You guys are next level, keep up the great work.
@wallet_guard
Wallet Guard
@wallet_guard
1 year
Introducing Stormwatcher โ›ˆ๏ธ detecting wallet drainers without even having to connect your wallet or simulate a transaction. Watch it in action now โฌ‡๏ธ
28
106
276
2
0
12
@lukenamop
Jacob H.
@lukenamop
3 years
๐Ÿ’ก Discord Security Tip ๐Ÿ’ก Don't give your mod team "Manage Roles" permission! If they need to be able to assign whitelist roles, use this YAGPDB custom command I wrote. Reach out to me if you need help with this. Once it's set up, it's as easy as "-whitelist @lukenamop "!
Tweet media one
3
2
12
@lukenamop
Jacob H.
@lukenamop
2 years
Look for someone with positive reviews from other auditors, not just someone that other project founders recommend. Look for someone who has a track record of proactively providing public, free resources, who will go out of their way to protect servers they don't even work with.
1
1
13
@lukenamop
Jacob H.
@lukenamop
2 years
Feel like the chips are down? Spend some time improving yourself: โ€ข Take an online class โ€ข Reach out to someone you haven't talked to in a while โ€ข Go hiking/climbing/running/biking โ€ข Help your local community Things will bounce back, take advantage of your downtime!
1
4
14
@lukenamop
Jacob H.
@lukenamop
2 years
An update on this free tool: I just made the source code for a standalone version of Server Supervisor's Webhook Protection feature available to the public here:
@lukenamop
Jacob H.
@lukenamop
2 years
๐Ÿ“Œ Discord security breaches aren't slowing down. I wanted to build something free to help all servers: Server Supervisor Discord bot โœ… Monitors & logs every webhook update โœ… Option to delete existing webhooks โœ… Option to filter verified bot webhooks
Tweet media one
6
11
40
1
5
13
@lukenamop
Jacob H.
@lukenamop
3 years
9/ Okay, what if you or someone you work with falls for this and their auth token is grabbed? Immediately reset your password! Even though the auth token bypasses your password and 2FA, resetting your password will actually also reset your auth token and they will lose access.
1
1
13
@lukenamop
Jacob H.
@lukenamop
2 years
Step 3/ Research the various attack vectors scammers use to compromise Discord accounts. Bookmarklets, QR logins, etc. Understand how to protect your staff from these attacks (hint: 2FA is definitely recommended, but it will ๐—ป๐—ผ๐˜ protect you from these phishing scams).
1
1
13
@lukenamop
Jacob H.
@lukenamop
2 years
3.1/ This one is kind of on-going. Scammers are evolving & innovating every day. You're going to want to check for new trends fairly often to make sure you don't miss anything and can give your team plenty of warning.
1
1
13
@lukenamop
Jacob H.
@lukenamop
2 years
@Jon_HQ To add to this: It's okay to admit you made a mistake! Everyone does. This happens to be a mistake that has huge repercussions, but it's better to admit and work to make amends than brush it under the rug and pretend like nothing happened.
0
1
13
@lukenamop
Jacob H.
@lukenamop
2 years
To clear up what happened last night: 1) Captcha Bot is not hacked! 2) Ticket Tool had an issue with the โ€œaddโ€ command which allowed people to add Manage Webhook permissions to themselves. 3) Ticket Tool was the only problem. 4) The โ€œaddโ€ command was fixed last night.
1
3
12
@lukenamop
Jacob H.
@lukenamop
2 years
๐Ÿ”’ Discord Security Tip ๐Ÿ”’ Opening & closing a server gives scammers a chance to โ€œstealโ€ your invite URL and trick people into joining the wrong server. If you use a vanity URL, you need a 2nd server at full boost level to โ€œparkโ€ your invite URL when you arenโ€™t using it.
1
4
14
@lukenamop
Jacob H.
@lukenamop
2 years
2.3/ And, don't forget, you're going to want to limit the permissions of each bot as much as possible. By default, most bots will ask for more permissions than they actually need to function, which creates additional risk.
1
1
12
@lukenamop
Jacob H.
@lukenamop
2 years
This Discord error is affecting all bots, including Spam Defender and Server Supervisor. For Spam Defender, the protection features are still working but all /commands are down. For Server Supervisor, webhook protection is working but all verification panels are frozen.
@Cap_Plantain
Captain_Plantain
@Cap_Plantain
2 years
โš ๏ธ DISCORD BOT WARNING โš ๏ธ Discord has introduced an API error that is causing most bots to respond with "<bot-name> is thinking..." when executing a command All we can do is wait until discord fixes this
2
7
23
2
1
12
@lukenamop
Jacob H.
@lukenamop
3 years
๐Ÿšจ Another day full of #NFT #Discord hacks... - @Friendswithyou / @fRiENDSiES_Ai - @HeartNFTs - @DraffesNFT - @Nifty_Island - Rap Empire DAO to name a few! I have a passion for Discord security and would be happy to help. ๐Ÿ”„ Retweet and share, we need to stop these hacks ASAP.
0
1
11
@lukenamop
Jacob H.
@lukenamop
2 years
Here are some examples of accounts Spam Defender can protect your community from, these are accounts that attempted to use alternate fonts & symbols to sneak in, but they were caught immediately. More info available here:
Tweet media one
Tweet media two
Tweet media three
1
2
11
@lukenamop
Jacob H.
@lukenamop
1 year
macOS is becoming more โ€œhackable.โ€ If you use a Mac, please be wary of the things you download so you donโ€™t inadvertently install something like this. Stay safe, friends!
@solminingpunk
FastFoodRembrandt.onion
@solminingpunk
1 year
#ALERT we have observed A new macOS information-stealing malware named 'Atomic' (aka 'AMOS') is being sold to threat actors via private Telegram channels for a subscription of $1,000 per month. And I just got in. #cybersecurity #infosec #malware #macOS
Tweet media one
26
176
610
0
2
10