I’ve been pretty lucky in my time in crypto, I’m proud to say that I’ve never had any crypto stolen from any of my wallets *knocks on wood*. I think part of the reason is that I came to this world in a time where one of the dominating narratives was “not your keys, not your wallet” and it was imperative that you stay extra vigilant. I’ve always been pretty conservative with the messages and transactions I sign and the amount of degen activity I engage in. But this time I was very close to getting caught because of a bookmark and I thought I’d use this post to commemorate the occasion and inform others about the attack vector.
Lately a lot of my attention has been on Breadchain Cooperative, the main project I work on outside of the blog and podcast. It is the place where I and my co-conspirators are able to focus our attention on building something aligned with our post-capitalist values. So when I was asked by someone going by Will Canny from CoinDesk on Discord to answer some questions about the project and Crypto Leftists to be published on their site, I had to say yes!
Of course I was a bit surprised to be approached through Discord but when I looked up his name, it seemed that he was actually a journalist at CoinDesk although his profile on the site didn’t include a social media account nor a picture. A great person to pretend to be! Not to mention the convenient Discord profile picture with skiing goggles.
Once I had a bit of time, I obliged and answered the questions thinking there’d be a quick turnaround and it’d be an easy publishing for Will. But no, I needed to complete a consent form for them to publish. Seemed a bit much and I thought maybe it was a new thing since I’ve given quotes for CoinDesk plenty of times before but whatever I thought, it just takes a second. Apparently I was supposed to go to their Discord server (he sent me an invite) and get it from there. I did the Sledgehammer verification (makes me wonder now why this method seems to be popular with a lot of scammers on Discord) and the server didn’t have a single channel with messages from others in it, just seemed to be a place where they shared basic info and maybe promoted Consensus. Again weird but I just wanted to get this over with so I can continue actually working on the thing.
The page for the consent form was very simple and largely matched CoinDesk’s actual site but bare. I also noticed that it wasn’t the actual CoinDesk[.com] but actually slightly different but believable in that maybe they would have a different site and system to handle consent forms I naively thought. So I submitted the form and got a strange message. To submit the form I actually needed to drag the button into my bookmarks. What? That seems strange. Luckily my bookmark bar doesn’t show when I browse normally so I couldn’t even do it before I started to think about the strangeness of the request.
I then proceeded to snoop around the website and noticed that every menu link and almost all of the footer links were broken. They led to nowhere! Except when I clicked on the CoinDesk logo which led to the homepage of the normal CoinDesk site. There was something fishy about all of this so I had to let Will know but I still wanted this published so didn’t want to go aggro quite yet.
About an hour after I sent my last message, all of his messages were deleted in the chat. I guess I got my answer. I did some research on bookmark scams and found some interesting stuff. In this piece from SlowMist they explain that this scam usually involves injecting some JavaScript into a bookmark which gives the scammer access to the Discord token of your server to then change permissions and use it to their advantage. This was likely how many of the NFT Discord servers were phished and hacked repeatedly in the recent past.
While if you were to add a bookmark normally, you’d be able to see the javascript awkwardly in the text box, you can make buttons draggable into a user’s bookmarks as a workaround. And for whatever reason, most browsers don’t give any warning about this functionality when you do it!
While I could see why they wanted to do this for NFT communities of overly eager degens willing to make rushed decisions for the next quick buck, I didn’t quite understand why they would do it to me. A couple of months ago there was someone impersonating me on Discord messaging community members and close friends asking for crypto but I don’t think it was very successful. They must be really scraping at the bottom of the barrel if they’re going for the leftist groups for money to steal. I believe with this guy, the likely attack would have been to create another fake webpage to phish other members of the community as a moderator of our server to get people to sign token approvals that give them access to the wallet’s funds.
Anyways, I’m now a bit annoyed that I wrote out the answers to the questions and they won’t be published on CoinDesk so I figured I should take the decentralized and autonomous approach and just publish them here to give more context about the projects I’ve been working on. Stay vigilant friends!
- What inspired the creation of Breadchain and Crypto Leftists?
The Crypto Leftists community was created out of a need to have a dedicated space for discussing and exploring crypto from an explicitly left wing point of view. This was something that basically didn't exist before its creation in any crypto community at the time. Of course you can only spend so much time before you want to start building over just discussing and so that's when Breadchain spun out of the community to be the place where we start to build things with our political framework in mind.
So Breadchain was our answer to the question of "how should the left respond to the rise of crypto as a potentially strong political force and tool?" We felt that we needed to start building the infrastructure for what a future with crypto gaining importance would look like. We also needed to do this while staying true to our principles and not engage in raising funds through venture capital or otherwise and instead focus on cooperative and post-capitalist approaches which led to the creation of our first "solidarity primitive", the BREAD Crowdstaking Application. The app lets users bake BREAD our community token by giving it xDai on Gnosis Chain which is then converted to sDAI that earns a yield for the cooperative. Users receive back BREAD in the same amount that they have xDai. Users can use BREAD like any other token for spending through our Citizen Wallet integration without paying for transaction fees and they can use it to vote on how the yield generated is distributed among the projects in the cooperative.
- Can you discuss any notable milestones, partnerships, or collaborations that have been formed, and how they will benefit its growth and development?
For starters, since Breadchain is a federation we have strong partnerships with the member projects like the Crypto Commons Association, Dandelion, and LaborDAO. Outside of these we have had two major partnerships with other crypto projects including PowerPool who gave us a $20k grant for building a couple of our post-capitalist use cases using their smart contract automation technology. We have also partnered with Gnosis DAO who have committed to minting $200k BREAD as a way to help the project continue and build on Gnosis Chain. This turned out to work out quite well as they could support our work without giving a grant and instead just engage with our application. Since we don't accept venture capital, these partnerships have been great win-win situations proving that you can build great products with it.
- Where can our readers learn more? (Permalinks to website, socials, etc.)
Hopefully I was able to best take advantage of what nearly happened by sharing the experience and informing others about this attack vector. Although the attack doesn’t directly take your crypto, it’s still dangerous to have something like this happen. Don’t be bookmarking shady stuff guys.