<aside> ⚠️ The website is still live! The scammers may still be active within the community. THERE WILL BE NO CITYDAO LAND DROP OR NFT MINTS IN JANUARY so don’t let FOMO get the best of you
</aside>
CityDAO is publishing details but more importantly they are busy cleaning up the mess (Aviate, Navigate, Communicate). This is my take as an outside observer to try and keep the rest of the world informed. I will do my best to keep this current, but look to formal CityDAO communications for official info. I am not offical CityDAO; this is my limited outside perspective!
UPDATE - Jan 11, 4:20 PM - The admin has posted a Twitter thread detailing the compromise
Admin Account Compromised
The entrypoint was a social engineering scheme, which CityDAO admin lyons_800 details in this Twitter thread. The exposed secret was used to gain elevated privileges through a Discord bot webhook. Similar tactics have been successfully used to breach other Discord servers in the last few weeks, including CreatureToadz, LittleLemonsNFT, Monkey Kingdom, and Fractal to name a few
Phishing Website Registered - Jan 10, 04:24 AM
https://www.whois.com/whois/citydaonft.io
Attack Launched - Jan 10, 05:31 AM
With the phishing trap in place, an official announcement was posted to Discord which directed users to the fraudulent website. Citizens hoping to get in on an early opportunity flocked to the page, connected their wallets, and unknowingly signed transactions which authorized transfers and sent assets to the bad guys.
Citizens in Thailand were some of the first victims, but they were also among the first to realize that there was a problem. Thanks to CityDAO user elmo for this translation:
The admins became engaged in an active battle with the attackers. Real admins would delete the bogus announcement, and make legitimate announcements warning of the problem. Attackers would delete the warning, and re-post the bogus announcement. Citizens also scrambled to post alerts, while attackers wrought havoc by deleting channels and making other chaotic server modifications. More details can be seen in in the admin’s thread (tweets 8-16). These delays obfuscated the problem and allowed more time to pass before everyone received warning that the mint was a scam.
Realizing the CityDAO sever was compromised, users moved to other platforms. I tweeted about the attack and there was an official CityDAO alert.
The attack happened fast, with the majority of funds being drained during a window of only 24 minutes. It took only 5 minutes from the time the attacker posted the link (05:31) until the first victim was scammed (05:36). 17 minutes later the fake link is removed (05:52) and only 10 more minutes pass before nearly 95% of the victims have been scammed (06:02), with a couple more victims over the next hour and the final victim nearly 13 hours later (16:58).
⚠WARNING: Scam site is still live and capable of taking your money ⚠
The Theif’s Address:
https://etherscan.io/address/**0xa6964e26b6e49510934164ceab2dd73fd397509f**
Theft occured between 05:00 AM and 16:58 PM +0 UST on January 10th, 2022
46 accounts (less than 0.5% of CityDAO’s 10,000 citizenships) lost close to $100k. Not all victims were CityDAO citizens. Although BAYC apes were targeted, 0 were stolen.
The attack consisted of two unique aspects:
Pre-Auth Scam #1: ENS, SAND, FTM, and TEL Tokens were Authorized for transfer
8 accounts transferred funds
There were only 5 victims who lost funds but did not mint. They probably realized something was off after the first authorization
Transfer Scam #2: Fake NFT’s were “minted”
There were 47 transactions across 46 accounts, for a total of 108 fake NFT’s being “minted”
$36k (11.6 ETH) → Transfer to Another Wallet (Jan-10-2022 17:08:18)
I expect forensics will confirm that the attacker controls this wallet (UPDATE: confirmed, my report will be released soon). After a quick glance it appears that it may have been used for similarly styled attacks in the last few weeks
https://etherscan.io/tx/0x7ced4d10b004ff23ca217d55fbe530ec066ec94661f1644bf60ebcbed42c0ebc
$31k (10 ETH) → Transfer to Tornado Cash (Jan-10-2022 17:21:07)
Bad guys use this service to avoid being caught. Mixing together similarly sized transactions makes it harder to trace the money
https://etherscan.io/tx/0xa364fd4468077cb1240878fd9db24c7f8dc2de48dbd84ec4e6f09464b951a065
$23k (7.5 ETH) was initially left in the account
Since the hack in the primary account at the time of this writing
UPDATE: Since this initial report the account is actively being used for moving funds, likely related to other scams! More info at CityDAO Phishing Scam - OnChain Analysis
<aside> ⚠️ NOTICE: This is only a snapshot of what was available hours after the scam occured. DO NOT consider this to be complete or accurate! The scammer has full control over their fake website, so there is no way to know what has changed since the attack occurred, or even while the attack was ongoing.
</aside>
The most interesting bits are the main index.html page and transfer.js script.
The Scam had Multiple Aspects: