Share article on

Stolen Apes: Protecting Communities Using Behavioral Data

Recently, the popular NFT collection BAYC (Bored Ape Yacht Club) reported an incident of asset loss worth 200 ETH ($358,962 at the time) by attackers who compromised moderator accounts of Discord servers to distribute phishing links to Bored Ape community members. 

This isn’t the first time crypto assets were targeted by scammers. BAYC NFTs were targeted in an attack last April when scammers successfully made away with ~$3M worth of assets after compromising BAYC’s official Instagram account. 

Generally, the same conditions of the crypto/blockchain space which advocates claim are benefits often result in the persistence of scams by fraudsters, much like those affecting BAYC NFT holders.

Given the relative infancy of the crypto ecosystem, platforms like Discord which support crypto communities have a vested interest in advancing security protocols to prevent these kinds of scams so that the ecosystem might thrive in the future. 

In this post, we’ll give a basic primer on how crypto transactions work, dive into details of how the BAYC thefts happened, and propose examples of how platforms like Discord can better support the crypto community through behavioral data acquisition.

Crypto Assets: A Primer

Crypto assets like NFTs (non-fungible tokens) and cryptocurrency coins (ie Bitcoin, Ethereum) are digital records of ownership of coded bits, of which the provenance and transaction history are tracked and stored on the matching blockchain (Bored Ape NFTs are stored on the Ethereum blockchain).

Owners of these assets hold them for various reasons: as a store of value, as a future medium of exchange, or simply because they see underlying value in the asset itself. 

To store or exchange these assets, hot wallets (online crypto storage apps) are commonly used. They hold the keys to access assets owned and often include functionality to exchange assets on certain platforms or between other wallets.

And while many enthusiasts in the community have high hopes for blockchain technology, the digital assets they spurn, and its future capabilities, there are several hurdles in the space which, if left unsolved, will continue to allow the proliferation of scams.

Immutability & Anonymity: Blockchain’s Double-Edged Swords

The decentralized nature of blockchains allows for a system that doesn’t need intermediaries between transactions, and a complete, unchangeable record of all transactions in that system is available to all members. 

And because all members of this system can inherently trust in a perfect, unchangeable, “omni” record, classical forms of identifying members are, in theory, unnecessary for the system to operate. In practice, however, these particular traits open the door for scams where catching the culprit and recouping damages is extremely difficult.

The immutability of the blockchain and its lack of intermediaries means there is no way to reverse an asset exchange without consent from both ends of a transaction. For a successful scammer who has gained access to a victim’s crypto wallet or assets, there’s no need to worry about an arbiter who would right a wrong they commit. The anonymous nature of blockchains means that attackers can operate under an additional veil of obscurity not provided in other markets.

This also means that individuals transacting on a blockchain must be extremely security conscious given there is no mediating party, intermediary, legal framework, or regulatory body protecting them in the event they fall victim to scams. In reality, there are countless stories of people attracted to crypto ecosystems, yet do not have the requisite security knowledge to protect themselves from attacks and thus fall victim to scams.

How BAYC was hacked twice

Post the more recent compromise of Bored Ape NFTs, one of its co-founders lashed out at Discord on Twitter, writing:

“Discord isn’t working for web3 communities. We need a better platform that puts security first.”

The BAYC Twitter account confirmed that its Discord servers were exploited. The project’s community manager account was compromised, then used to post malicious links in the Discord channels, luring users to click with special incentives of mints. 

Once clicked, attackers had access to the user’s wallet and made off with the assets. A similar-style attack on BAYC occurred a few months back in April, where its official Instagram account was compromised and used to post similar malicious links before being shut down. 

In both instances, social media accounts were compromised and leveraged to post malicious phishing links that users were duped into clicking.

Protecting the Ecosystem with Behavioral Data

Account takeover and phishing are common scams for many kinds of businesses, though particularly in the crypto ecosystem, are difficult to combat given the conditions of the space we’ve outlined. 

The growing interest in this space has already outpaced the required commensurate knowledge of digital security. This means that more and more users will flock to established platforms like Discord, Instagram, Twitter, and others to interact within the crypto communities, while not necessarily knowing how to safely conduct themselves. 

And while the topic of who should own the security burden is one of heated debate, data shows that users today want to interact with platforms they can trust and feel secure in using and that most users on the internet will not take the proper precautions to protect themselves online. 

If platforms like Discord were to incorporate first-party, behavioral data gathering on devices accessing their services, they would have in-house access to a robust risk data ecosystem from which to build behavioral fingerprints of user accounts across that user’s device ecosystem. 

From these profiles, seemingly imperceptible differences in behavioral patterns like keystroke usage deviations, accelerometer readings, and pointer pattern differences could be used to flag atypical behavior on an account even before posts to announcement boards or channels are made. 

Not only will flags like these protect the crypto community as a whole from scams by limiting the vectors through which attackers can scam, but they also positively impact revenue and engagement via harboring a higher trust community among users.

This is just one example of how behavioral data can be leveraged by social platforms. While it is highly unlikely that blockchains will in the future require more robust identification of users in order to transact on chains, it is much more practical for ancillary platforms like Discord and Instagram to better flag atypical behavioral patterns in order to protect crypto community members on their platforms, and more broadly, their user community overall.