Compensation for Victim of the ssv.network Discord Hack on 2023-08-30

Summary:

Plea for the DAO to consider compensating a scammed user scammed users, who lost 14.9 20.104 ETH due to the security breach of ssv.network’s Discord server on August 30, 2023.

Background:

On August 31, 2023, the ssv.network Discord server was the victim of a malicious security breach, as detailed in the Post-Mortem Report. An attacker exploited a Bookmarklet type attack, compromising a privileged Discord account, SSV’s CTO Lior Rutherberg. In the ensuing chaos, key roles were deleted, many channels and bots were manipulated, and numerous users were banned.
The malicious actors further created a fraudulent website (DO NOT OPEN: ssv.community/claim/), scamming users into parting with their funds.

Our community members, unfortunately, fell victim to this scam and lost a substantial amount: 20.104 ETH. Given the magnitude of the loss and the circumstances under which it occurred, we are seeking the community’s support in refunding the scammed amount.

It is important to realize that SSV holds different secure assets where it is expected for users to deposit their assets. A hack on SSV’s Staking APP (instead of Discord) could render a similar loss outcome for users. Users funds would be misdirected when staking if there is a web-app hack that changes contract addresses. Making the outcome of this proposal all more important for the future.

Details of the Loss:

Date of Loss:   August 30, 2023
Circumstances:  During the ssv.network Discord server breach, the user was misled by the fraudulent website propagated by the attackers as legit ssv.network admins.
Hacker Account: 0x00000f312c54d0dd25888ee9CDC3DEE988700000


Account:        0xD50D5C19aD6d57b9f3a5490b5d9769e90B521E3b
Acc Signature:  https://etherscan.io/verifySig/24635
Amount:         14.9 ETH
Transaction:    0xd39694af121f794b36d9461bc6adba6684afbb7e395345c97d8116686893089b
Timestamp:      Aug-30-2023 11:45:35 PM +UTC


Account:          0x644cebcb9e7ee0f753369caebdcde2b12eaff476
Acc Signature:    https://etherscan.io/verifySig/24693
Amount:           5.204 ETH
ETH Price at DoT: $1,705.54
ETH Transaction1: 0xb08bb51b4de468f4ae9a88eb227aa09f436cb402e62ca3146766ed467ab8c065 398.6 UNI - $1,855.81 / $1,705.54 = 1.08 ETH
ETH Transaction2: 0xa428b9678673830d7f212b8eaeb37fc07b99c98be5e918dc189ffc22893c02b7 170.8 UNI - $795.35 / $1,705.54 = 0.466 ETH
Arb Transaction3: 0xf228c781e8bd813fa2b849ad1406f99da71b825839e59041033c2bed636d533b 215.1 UNI - $1,036.87 / $1,705.54 = 0.607 ETH
Arb Transaction4: 0xd7407486cab6108db3a1a5492f160952fa8dbcc60bfb1b094c51fcfac2c45a83 502.0 UNI - $2,158.62 / $1,705.54 = 1.265 ETH
Arb Transaction5: 0x3a42ee852e3de3b969a2d61861c2f0999ad1a9713e3f3b6c7e637968417650d3 1224.7 USDC - $1224.7 / $1,705.54 = 0.718 ETH
Arb Transaction6: 0x8ddb7672aa88c854371b4cc7ecb20acfdf5f128ec37e60eed72f61c6b9f4f134 2857.8 USDC - $2857.8 / $1,705.54 = 1.675 ETH

Reasons For Compensation:

Responsibility: While individual users bear responsibility for their actions, the hack exploited a vulnerability within our community space, and it is paramount to acknowledge that the scam was a direct consequence of a vulnerability within SSV's domain. As such, SSV holds a shared responsibility to ensure its community members do not suffer undue losses due to security shortcomings.

Community Integrity: Upholding the trust and faith of our community members is crucial. By considering compensation, we reinforce our commitment to them, showing that their security and well-being are of utmost importance to SSV.

Future Precautions: Compensating the victim reaffirms that the DAO will stand by SSV’s decisions and actions, even during unfortunate events like hacks. It showcases the DAO’s unwavering support, emphasizing that they will collectively uphold the safety and security of community members now and in any future incidents.

Restorative Justice: It's not merely about returning lost funds; it's about mending the trust and faith of our community. Compensation is an act of bridging the gap that the incident might have created between SSV and its community members, emphasizing that together, we rise above adversities.

Reasons Against Compensation:

While the primary sentiment leans toward compensation, it’s essential to consider potential reasons against such action:

Personal Responsibility: Every individual must bear the consequences of their actions, even in unfortunate circumstances or in securely operated community spaces.

Proposal Mechanics:

Upon a successful vote in favor:

The DAO treasury should facilitate the transfer of 14.9 ETH to the scammed user's address. 0xD50D5C19aD6d57b9f3a5490b5d9769e90B521E3b

Your understanding, empathy, and support in this matter are highly valued. Together, as a community, we can stand united and resilient, making decisions that reflect our collective spirit and ethos.

Hello @tx_reverted!

Thanks for your post. Indeed, you’re the only person who reported falling for the scam, so we want to understand why this happened to you.

Please provide me with the discord handle you used during the hack when the malicious link was posted. Once we have your handle, we’ll look into the Discord logs to check your request.

I’m not speaking for the DAO. I’m here to help you collect all the information needed in case you want to propose a refund to the community/DAO.

Thank you.

Thank you for reaching out and taking the time to understand the situation. Firstly, I wanted to mention that another user has directly messaged me claiming they were scammed as well. I’m currently awaiting further verification from them in the form of the transaction hash and account signature.

Regarding the Discord handle, I’ve messaged you directly to share it privately.

Could you please clarify what kind of logs you are referring to ? Are you an admin in the ssv.network Discord ?

Thank you for your help and patience!

Hey BenAffleck,
He is not the only one who reported and/or got affected by this scam. I reported this privately to some of the discord moderators and also i’ve posted several times in the general discord channel about this matter.
I am sure there are more poeple here who got affected but they are not aware of this proposal and/or not that active or simply just too shy to come forward.
From what i’ve managed to track on the blockchain, it seems that more than $50k were transfered to the hacker at the time of the hack.

I am glad tx_reverted has raised this issue and i support this proposal.
I think that the security of our community is of utmost importance and by supporting this proposal we reafirm our commitment to the well-being and safety of our members.

Date of Loss: August 30, 2023
Amount: 1,286.67 UNI & 4,082.6 USDC
Circumstances: During the ssv.network Discord server breach, user was misled by the fraudulent website propagated by the attackers as legit ssv.network admins.
Account: 0x644cebcb9e7ee0f753369caebdcde2b12eaff476
ETHTransaction1: 0xb08bb51b4de468f4ae9a88eb227aa09f436cb402e62ca3146766ed467ab8c065
ETHTransaction2: 0xa428b9678673830d7f212b8eaeb37fc07b99c98be5e918dc189ffc22893c02b7
ArbitrumTransaction3: 0xf228c781e8bd813fa2b849ad1406f99da71b825839e59041033c2bed636d533b
ArbitrumTransaction4: 0xd7407486cab6108db3a1a5492f160952fa8dbcc60bfb1b094c51fcfac2c45a83
ArbitrumTransaction5: 0x3a42ee852e3de3b969a2d61861c2f0999ad1a9713e3f3b6c7e637968417650d3
ArbitrumTransaction6: 0x8ddb7672aa88c854371b4cc7ecb20acfdf5f128ec37e60eed72f61c6b9f4f134
Acc Signature: Ethereum Verified Signed Message

I’m sympathetic to the loss, but I don’t feel like the DAO should be responsible for financial recovery here for a number of reasons:

1. This was not a flaw in infrastructure owned by the DAO (e.g., the recent proposal for covering CDT loss). This was someone falling victim to a malicious external site spread by a compromised admin account. The DAO should not be providing protections from people connecting their wallets to websites.
2. This establishes a worrying precedence of the DAO as an insurance fund for members when there’s no such financing of it as such.
3. Further, it creates an avenue of exploit where a malicious user could execute a similar attack again and then claim they were drained and have the DAO cover their ‘losses’.

While we should be empathetic toward people affected by attacks (I think it’s only a matter of when, not if, anyone falls victim to such an attack), the DAO is not formed as an insurance policy nor is it set up to be funded by those who would seek coverage.

Recovery of these stolen funds in concert with law enforcement and, for example, capturing the funds should they reach egress at an exchange is what those affected should pursue.

Thanks for coming forward @gob .
I have validated the transactions, timestamp and values and have updated the main post.

@BenAffleck Can you check @gob logs in Discord too ? Any additional info helps.

Thank you.

Hey jrh3k5,

Thank you for sharing your concerns. I believe that your voice, like every other community member, is valuable to the DAO.

Addressing your concerns in order:

1. Infrastructure Responsibility: As the image shared clearly highlights, our ssv.network Core Team Discord Admin Dean pointed out, “As for the vulnerabilities and the call for compensation, it’s important to note that these matters are typically addressed by the DAO, as the Discord server belongs to the DAO community.” We all understand that decentralization doesn’t necessarily absolve responsibility. When infrastructure is under the responsibility of the DAO, any vulnerabilities or issues therein should be addressed with the utmost priority, and appropriate responsibility should be taken.

2. ssv.network & Its Role: The ssv.network also serves a staking platform, a pivotal piece of our ecosystem where users are expected, to deposit their stake. It’s not merely an information or community portal. The core team, which is directly backed by the DAO, has created and manages this infrastructure, bears a profound responsibility towards the users. Should a hack occur on the platform, we believe it would be prudent for the entity, in this case, ssv DAO, to assess and potentially compensate victims. It’s not merely about financial restitution, but more about the trust and faith users place in the platform. Standing by the core team means standing with them both in their successes and in times of adversity. If we expect the community to trust the infrastructure we recommend, then we must also stand by those recommendations in good times and bad.

3. Potential for Exploitation: Your point about setting a dangerous precedent is valid, and the concern for exploitation is understood. However, transparency and scrutiny are our best weapons in such scenarios. Through rigorous audits, transaction analyses, and community vigilance, we can ensure that genuine victims are identified, and any malicious actors are swiftly caught.

Look, the realm of crypto is built on the principles of decentralization, trust, and community strength. Transparency has to be our goal when guiding us through the challenges. This incident is not just about addressing an isolated scam but about reinforcing the trust that binds our community. We rise and fall together. It’s important to see how actively and passionately members like you participate. And on that note, may I ask if you registered just to voice your concerns in this thread? Your forum history seems rather new. Happy to chat on the #dao-updates channel if you have more questions.

Thank you for being a part of this. Together, we define the future of ssv.network and community governance.

tx_reverted

image1920×723 67.7 KB

Thats some good points @tx_reverted . thanks for elaborating on this.

I agree, we should acknowledge that decentralization doesn’t absolve responsibility, and when infrastructure is under the responsibility of the DAO, vulnerabilities and issues should be addressed promptly. I believe that the Discord server, being part of the DAO community, should be considered the responsibility of the community, and vulnerabilities within it should be addressed accordingly.

I think that financial assistance to memebrs in cases of severe loss is important to maintain trust and solidarity within the community and reflects the DAO’s values and mission.

Good day @tx_reverted and @gob

I was trying to collect more data to prove your claim. However, none of the systems has any additional evidence to back up your claim beyond what you’ve provided already.

The Proposal Mechanics section of your post needs to be updated to also include instructions for @gob.

Since I’m not here to judge the legitimacy or its chances of success, I can only say that the proposal itself is in good shape and follows the DAO guidelines. Feel free to move it to a snapshot and announce it on discord.

Good luck

I am not a proponent of compensating people for losses due to Discord hacks, or other situations where they click a phishing link and authorize somebody to have access to their wallet.

While I am sympathetic to people who get tricked into losing money, there are generally accepted best practices that can minimize losses, and it’s important that people follow those.

The best solution is to use a hot wallet with only a little money it, so you can’t be scammed for more than that.

And don’t click links without examining the site for scammy behaviors, like different URLs or extra characters.

And any time a link says to click it right away, that’s a red flag. As are any links that purport to be for a new unannounced airdrop. And if a discord turns off all comments and gets spammed with an airdrop message, that’s a a clear marker that it’s been hacked.

Unfortunately you always have to have your guard up in crypto, and take preparations to help minimize any losses that come.

This is not the first time this has happened. There was a similar attack on Feb 14th 2023, where an admin account was compromised and the account posted a malicious link for users to go to as part of a contest. With multiple users experiencing traceable losses as a result, including myself. I can’t remember if there was a “detailed post-mortem” as the team promised for that instance though. I reported my loss and wallet information to the team with no result. Maybe I should have been louder about it like the OP.

I am pro compensating victims, either directly or as part of a fund, assuming they can provide a reasonable amount of evidence. I think it’s even a easier case to make if the users lost SSV tokens instead of pure ETH.

Partial or total: I’m not sure if there should be total compensation or partial. As some responsibility does sit with the user, who has to connect their wallet to a scam website. So there is certainly some responsibility on the user side, so maybe partial compensation would be more equitable. The only problem is setting a % compensation is wildly subjective, so maybe full is better.

Funding: It would be incredibly easy to mint enough SSV to cover this sort of loss with minimal impact to any current SSV token holders.

Re: DAO - People say that the DAO manages things, but that’s really not true. The DAO can set broad direction, but the core team has effectively been delegated responsibility for all of these things. The core team manages the discord and assigns moderator/admin status to individuals. So when a core team member’s account is compromised, and this leads to massive losses, suddenly the core team has no responsibility? And the response is, ‘oh, you should have known.’ Nonsense. In the chain of events the loss would never have happened if the team member had not gotten their account compromised. Can the DAO take legal action against a team member? No. Can the DAO garnish the wages of a team member that makes a serious mistake to compensate victims? No. When the infrastructure has a problem, does the DAO vote on if bugs should be fixed? No. So the DAO does nothing tactical or day-to-day, that’s all the core team’s responsibility.

Re: “We don’t do airdrops or giveaways. You should have known.” So we should listen and trust admin accounts in most cases, but not in all? How do users know? Also as a participant in the testnet, we were conditioned to wait for an admin to post something 2x a day and then the community had to race to click buttons to get to participate. Bad conditioning if you don’t want your community to race to click links sent from admin accounts.

Legal protection: Legal protection does not exist for this type of theft or scam. I reported my losses to the FBI, but there was no follow up and certainly no recovery of funds or compensation. Any sort of compensation needs to be driven by the community.

DAO registration: I’m also not sure if the DAO is technically separate from the core team’s company. Where is it registered? Maybe someone with legal experience can comment.

I agree with you that it is important to compensate victims of scams, especially when those scams are the result of security breaches. I also agree that it is difficult to set a % compensation that is fair to everyone involved.

As for funding compensation, I’m uncertain about the most viable method. While minting new SSV tokens is an option, we must carefully assess its impact on existing token holders.

You’re absolutely right about the limitations of the DAO in legal matters related to team members. However, the DAO retains the power to ensure accountability by voting on proposals and, if necessary, removing team members from their roles.

Additionally, the question of whether the DAO is technically distinct from the core team’s company remains unanswered. This distinction is pivotal and must be clarified before any compensation decisions are reached.

I have reviewed the thread and I’ve not been able to find the specific context of the attack. What was the malicious link disguised as? Was it a red-flag, too-good-to-be-true “giveaway” or “airdrop”? Were all the warning signs there? Sadly, I do think it matters to be able to apportion comparative fault. Legitimate distributions simply don’t work that way now, and haven’t for quite some time.

In general, I think the DAO treasury needs to be better protected. We are not nearly hawkish enough in guarding its value.

Hey everyone,

Happy that more people have come to know of this thread. Special thanks to @BenAffleck for the announcement.

I wish to reply to a few comments:

@GBeast: I completely understand where you’re coming from. In hindsight, many things become obvious, and I can’t stress enough the importance of individuals following best practices when it comes to security. That being said, this isn’t just about user security best practices. It’s about recognizing where the responsibility lies when an attack takes place. If the Discord server, which is an integral part of our community, gets hacked, shouldn’t there be some accountability on the part of the Core Team? While users need to be cautious, the infrastructure they trust should also be secure. Taking this a step further, what if the main SSV web application was to be hacked? Would we still say that it’s solely the user’s fault for trusting the platform?

@captnapalm: I’m with you on most of your points, especially about the potential for compensating victims. I believe that there’s merit in considering minting SSV tokens as a way to facilitate this, especially since both bloxstaking and the SSV DAO aren’t exactly short on funds. To put it into perspective, the compensation required wouldn’t even make a noticeable dent when compared to the generous grants that SSV DAO offers at https://grants.ssv.network/.

@Hackworth: I appreciate your call for a detailed context. However, all the relevant information, including details about the website and the SSV Post-Mortem Report, has been made available in this thread, perhaps @BenAffleck can recover the original phishing message? The attack wasn’t targeted at individual users but at the SSV Discord. While individual security is essential, if a trusted platform like ours is compromised, it alters the scenario entirely. It’s like if the SSV Web App was compromised; we’d need to consider that user best practices might not hold up against a platform vulnerability.

Thank you all for contributing to this essential conversation. I’m more than willing to share additional details and insights where needed. Let’s work collaboratively to address the concerns and uphold the values of our community.

Best,
tx_reverted

Hi, the hack events and being a victim of scam is a horible thing but in my opinion the hacking of social media platform accounts shouldn’t be related to SSV platform, tokens, etc. It is very known in crypto space that no admin should initiate the contact on social media and you shouldn’t access any link if you don’t know what is about. I don’t see the point why SSV DAO should compensate these kind of issues. Such compensation shall be considered only if the hacks are related to chain/platforms developed by SSV team.

Hello codyyy,

Firstly, I deeply appreciate you sharing your perspective, and I genuinely empathize with the stance you’ve taken. It’s evident that you care about the crypto community and want to ensure its security.

However, I believe we need to draw a distinction here. It wasn’t Discord, the platform, that was compromised, but the account of SSV’s CTO, Lior Rutherberg (link provides more context).
There’s a marked difference between the entirety of Discord as a product being hacked, and an unfortunate oversight on SSV’s part in safeguarding critical accounts. When we discuss the vulnerability of such a high-profile account within the SSV ecosystem, it underscores that the responsibility of secure infrastructure should predominantly lie with the SSV Core Team and, by extension, the DAO.

While individual vigilance is undoubtedly essential, I feel it’s equally paramount for us, as a community and as the Core Team, to ensure that the platforms we manage are as secure as possible. If members of our community suffer due to vulnerabilities from our side, compensating them is not just about restoring funds. It’s about upholding the principles of transparency, justice, and solidarity that we all hold dear.

I genuinely believe that such discussions and the scrutiny they bring are invaluable.
And interestingly, I noticed this is your first post, and it seems you joined to contribute to this thread. This is positive, as a community, not only it allows us to improve as a community but also empowers every member to voice their opinions, ensuring that no concern goes unheard.

Warmly,
tx_reverted

Hello Everyone,

I’d like to bring to your attention a recent observation. It appears the SSV Core Team has made edits to their initial post regarding the hack incident. Notably, the acknowledgment that it was the account of SSV’s CTO, Lior Rutherberg, that was compromised seems to have been omitted. I also reviewed the Post Mortem and noticed the same piece of information was removed there as well.

Transparency is paramount, especially in moments of crisis or vulnerability. It’s essential for trust-building within our community. To ensure there’s a clear record of the original content, I took a screenshot prior to the edit and have since posted it on Twitter. You can verify the timestamp for authenticity and clarity.

I’m hoping this was an oversight and not a deliberate attempt to obscure facts. Let’s all remain vigilant, keeping in mind that clear, honest communication is the bedrock of a strong and cohesive community.

image1200×226 48.9 KB

image1740×256 42.8 KB

Warm regards,
tx_reverted

sorry mate, hope the vote goes in the favour of those who lost funds

That’s not exactly a comforting reaction. @tx_reverted here are some mobile screenshots from the second attack. Not many, but it’s something.

Screenshot_20230830-172022 - Copy1080×2400 292 KB

Screenshot_20230830-171830 - Copy1080×2400 177 KB

Screenshot_20230830-172014 - Copy1080×2400 236 KB