Update on sILV Exploit and Discord Security Incident

We want to share an update on Illuvium’s Discord security incident that occurred on 31 December of 2021 and the sILV exploit announced on 3 January 2022. The following information is what we know as of today and we will share more details by updating this article in the near future as our investigations and analysis continue.

Discord Security Incident

**What happened **On the 31st of December 2021 PT, Illuvium’s official Discord channel was compromised. The attackers were able to successfully gain access to a core contributor’s Discord account, even through 2-factor authentication, through an elaborate social engineering attack. Through their account, the attackers were able to announce a scam by connecting a rogue Discord webhook in the #jobs channel impersonating an Illuvium bot announcing a surprise New Year NFT stealth mint. The attackers directed users to a fraudulent website that purported to be Illuvium’s NFT platform, and users who authorized their wallets had their funds siphoned away by the attackers.

A total of $150K in funds were stolen from approximately 41 wallets. We have reason to believe that some of these wallets may be the attackers’. We recommend that all users who have interacted with the smart contract revoke access to the site immediately.

**Our response **Once we became aware of the attackers’ actions, we immediately locked down and banned the compromised accounts, revoked access to the webhook and deleted the scammers’ messages. We then posted alerts pinging @everyone in our Discord #announcement channel as well as warnings on our socials. Our incident response team secured and revoked access of the compromised account from further accessing Illuvium’s internal systems.

This attack led to significant changes in our Discord server to increase security including but not limited to:

  • Pruning over 50K members, both inactive users and identified bad actors

  • Removed the ability for new users and bots joining the community to see our users in the server, so they cannot instantly direct message them with scams

  • Reduced the number of people who can tag @everyone and @ users on our server to the superadmins.

  • Removed permissions from all users to generate webhooks except for superadmins.

  • Revised all user and role permissions in the server, making it easier to manage and spot rogue permissions.

Additionally, a compulsory entry point in the Discord server was added. Users entering the server must review our rules as well as an important warning regarding common scams on Discord and how to avoid them.

**Our next steps to make the community whole **As the attack occurred due to a core contributor’s security breach, Illuvium believes making our community whole again is the right thing to do. We will be returning the USDT equivalent stolen funds to affected community members once we have completed a thorough analysis of the attack.

We have engaged Chainalysis to work out the balances that need to be reimbursed to each wallet. We are also in touch with Kucoin about the incident as the attacker has an account on their exchange.

We will be reimbursing those who lost their funds in the scam. The exact nature and mechanism of the compensation is being finalized and will be shared soon.

We’re accelerating several of our pre-existing security work streams across many of our teams. We will review security practices with all team members again and continue to organize ongoing company-wide phishing exercises and training regularly.