Tweet Threads

📢 Free Discord Security Quiz 📢

Over 900 founders, mods, and general NFT folk have taken this free quiz already. It will test you on your Discord security knowledge.

Take it and see how well you do, explanations are given at the end for each question.https://t.co/AwBzFkX9eT

— Jon_HQ (@Jon_HQ) August 21, 2022

🥶 Cold Admin v.3

Here is my most recent Cold Admin setup instructions.

What is a Cold Admin? It is a Discord account that is distinct and exclusively used on a separate device, such as an old phone or laptop.

Stay safe and keep your servers secure by using Cold Admins. pic.twitter.com/O2CmeAGPv9

— Jon_HQ (@Jon_HQ) December 6, 2022

ICYMI:

I recorded an hour long video discussing my free Discord server template.https://t.co/CjDAjA3sPy

This is a great resource for projects or even baby auditors to use.

Copying is easy, understanding why things are the way they are take time to learn and comprehend.

— Jon_HQ (@Jon_HQ) December 9, 2022

🫂 🤝🚨

Discord Security... and... Community Management?

Discord security is not just keeping things secure, it's also about keeping things useable.

So let's flip the script a bit and look at what CMs 𝗻𝗲𝗲𝗱 to do inside a Discord community, and how we can do it securely.

— Jon_HQ (@Jon_HQ) August 17, 2022

There are a couple core bots you need for a secured NFT Discord server.

Here they are, for free.

This is good alpha even as a collector, if you can't find a bot in the server, they probably haven't got audited or know what the hell they're doing. pic.twitter.com/OHNDaoLdcT

— Jon_HQ (@Jon_HQ) December 13, 2022

🚨🚨 Discord Security Tip - Cold Admins 🚨🚨

I've spent the last month or so talking with NFT project owners and trying to explain cold admin accounts, how they work with a Discord... and at this point, I think I need to extrapolate even more.

Here is the Cold Admin Protocol.

— Jon_HQ (@Jon_HQ) May 11, 2022

NFT projects get compromised and lose 𝙢𝙞𝙡𝙡𝙞𝙤𝙣𝙨 because they do not understand Discord permissions.

Can you name the most deadly ones?

5 minutes reading this thread could save your project from getting 𝘴𝘤𝘢𝘮𝘮𝘦𝘥.

Here are the 7 Deadly Discord permissions: pic.twitter.com/zb5lGrZQcW

— Jon_HQ (@Jon_HQ) September 27, 2022

🚨 What do you do if your Discord server is being hacked, a checklist. 🚨

I'll post this both as a Twitter thread, and as an image attached to this tweet.

Download the image and save it to share with teams, or print it out! pic.twitter.com/lz89tmHsdd

— Jon_HQ (@Jon_HQ) March 12, 2022

🚨 Discord Security Tips 🚨

In a bear market, NFT projects are quietly building, planning longer runways, and improving...

Due to the 🧸 market, projects might not be able to afford a full Discord audit, so here are three tips you can implement 𝙣𝙤𝙬 to protect your community.

— Jon_HQ (@Jon_HQ) September 20, 2022

🚨 Discord Security Tip 🚨

If you're starting a new Discord for an NFT project and getting everything set up during this bear market, here are some broad strokes about what you should focus on during the setup.

— Jon_HQ (@Jon_HQ) May 14, 2022

🚨 Discord Bot Compromise Update 🚨

What's next? How do we stop this in the future?

So - official little recap here - past the bot pushing a bad update, the bot asked for manage webhook perms, which it might need for some functionality... but there is no reason to grant it. 1/2 pic.twitter.com/qmB9FM4rXa

— Jon_HQ (@Jon_HQ) April 1, 2022

🚨 This could save your NFT's Discord from getting hacked 🚨

What if you could identify that one of your moderators was compromised...

...and that attackers were preparing a fake mint announcement in your Discord...

Hours or days before it happened?

— Jon_HQ (@Jon_HQ) February 13, 2022

🚨 Know yall missed these Discord tips 🚨

If you want to do a CLOSED Discord for marketing hype reasons or whatever, you can do it safely.

Read this🧵to learn how... and the reason why a closed Discord using expiring invites is a bad idea...

— Jon_HQ (@Jon_HQ) March 30, 2022

🚨 Discord Tip: Protect the new frens 🚨

Every Discord moderation bot has something called an Automessage

Enable this, smack it into #general, and send the message every 4-6 hours. Spam the newbs to save them

Use my template, tell me if you think there is anything else to add! pic.twitter.com/y7F15YTg45

— Jon_HQ (@Jon_HQ) March 31, 2022

🚨 Discord Security Alert 🚨

Since the newest Discord phishing attack is a little hard to understand, I've made an image showing a valid oauth request on the left, and the scam oauth on the right.

ALWAYS check where you're being redirected to.

Please share for awareness. pic.twitter.com/wUKMVMforT

— Jon_HQ (@Jon_HQ) August 29, 2022

🚨 Discord Security Tip 🚨

What to do when the worst happens and your Discord server does get compromised?

This thread will cover what you should do as an admin or a server owner during all stages of a Discord compromise and fake mint/airdrop phishing scam.

— Jon_HQ (@Jon_HQ) June 8, 2022

This Discord is using a VERIFIED bot renamed.

It is a fake Wick bot, requiring you to verify.

It asks you to scan a QR code to verify - this logs you in on a new client the attackers control.

The attackers are leveling up again, stay safe folks. This one is nasty. https://t.co/Sdrh4oYhA5

— Jon_HQ (@Jon_HQ) April 4, 2022

Were you aware that the average NFT Discord has over 12 users with Mod or Team level perms? An infographic thread 🧵 pic.twitter.com/mOYcYXMOrp

— Jon_HQ (@Jon_HQ) March 2, 2022

🚨🚨🚨 Discord Security Tip 🚨🚨🚨

I've been thinking a lot about impersonation attacks the last few days.

It is common for phishers to pose as a team member to try to scam normal users.

Let's dig into it a little. h/t to @crystalgroves for alerting me to this impersonator: pic.twitter.com/kQ7GKb0OgK

— Jon_HQ (@Jon_HQ) May 30, 2022

🚨🚨🚨 Discord Security Alert 🚨🚨🚨

As if moderators and admins getting phished weren't enough.

I now have multiple independent confirmations that attackers are straight up bribing any of your Discord staff with up to $100k...

What can you as a project owner do?

— Jon_HQ (@Jon_HQ) May 25, 2022

🚨 Discord Security Tip 🚨

When a phishing method stops working as well, scammers don't stop. They evolve.

There have been rumors of attackers now impersonating project founders and replicating how their voice sounds using voice modulators.

How should teams react?

— Jon_HQ (@Jon_HQ) August 21, 2022

🚨 Discord Tip of the Day 🚨

The last couple of weeks has seen a drastic shift in types of attacks against Discords...

I sat down and tried to create a risk matrix of both the severity and the impact of these different methods - let me know what you think! pic.twitter.com/BaijY20FrN

— Jon_HQ (@Jon_HQ) April 3, 2022

🚧 Discord Auditor Self Checklist 🚧

It has been over a 𝙮𝙚𝙖𝙧 since the pandemic of Discord Compromises started

The following reflect the best practices that have been developed in that time.

This checklist covers what your setup should have. Do you check all the boxes?

— Jon_HQ (@Jon_HQ) December 27, 2022

🚨Things to ask your Discord Auditor before hiring them (Feel free to add on things if you think I missed anything!)🚨

A pretty short thread.

#1: Will they change things for you?

Some auditors will only do a call with you. This can take longer, and result in a worse audit.

— Jon_HQ (@Jon_HQ) March 10, 2022

🚨 Discord Security Tip 🚨

I made a whole thread about how to pick a Discord auditor. I can actually condense it way down now.

In this threat environment, I can boil it down into one single thing to check.

Read on to figure out if your Discord auditor has swindled you.

— Jon_HQ (@Jon_HQ) June 10, 2022

🔒 Discord Security Vocabulary Terms 🔒

There are a lot of folks out there: Mods, CMs, Founders, and Auditors all working with Discord servers.

Keeping everyone on the same page is tough...

So here's an exhaustive guide listing common Discord security terms and what they mean!

— Jon_HQ (@Jon_HQ) October 27, 2022

🚨 Twitter Account Hack Alert 🚨

This is how it has been reported to me that projects (JRNYclub, nounsdao, potentially others earlier this year) are having their Twitter accounts hacked...

And here is how you can protect yourself, your project, and your community.

A thread. pic.twitter.com/ZUp5sMsFTU

— Jon_HQ (@Jon_HQ) June 29, 2022

❔ How immutable is your Blue Chip NFT ❔

ERC721 contracts usually have an owner assigned and they can update things in the contract, such as the project's URI.

Even if your images are on IPFS, if the owner still has control of the contract, the link to those images can change.

— Jon_HQ (@Jon_HQ) September 4, 2022

The fake WL messages have gotten way too annoying.

I've caved and set my notifications to filter out the accounts sending them.

If you want to do the same, in your Twitter Settings go to Privacy and Safety, Mute and Block, Muted Notifications, and toggle the below settings: pic.twitter.com/iIeBn0sd0B

— Jon_HQ (@Jon_HQ) October 9, 2022

🚨 NFT Drainer Alert!!! 🚨

What I posted about originally as being a scheme to get your Discord token has been used for more than that...

Attackers used the XSS attack with Everdome as a trusted site to also generate malicious OpenSea signature requests.

What you need to know:

— Jon_HQ (@Jon_HQ) September 22, 2022

🚨 NFT NYC Security Tips 🚨

I've seen a couple posts about NFT NYC and keeping your digital assets secured while there... Honestly I don't think most of the posts or threads go nearly far enough.

You are a major target, and here is how you can protect yourself:

— Jon_HQ (@Jon_HQ) June 16, 2022

🚨 NFT Marketplace Listing Scams 🚨

Marketplace @blur_io has an increased risk of buying the wrong listing and victims accidentally purchasing NFTs for 10x the price.

Let's look into why, how you can protect yourself if you use Blur, and why this scam works. pic.twitter.com/WuEsM9L0vX

— Jon_HQ (@Jon_HQ) November 3, 2022

You 𝙘𝙖𝙣 still be making money if your NFT falls in price.

You can limit your exposure to a falling floor price, and X2Y2 has just made this much easier.

So let's look at how... and also talk about 1 super stupid degen play that could make someone in this space filthy rich.

— Jon_HQ (@Jon_HQ) October 9, 2022