블로그로 돌아가기
discordmetamaskphishingsocial-engineering
커뮤니티 신뢰 붕괴: Discord, MetaMask, 그리고 "클릭하여 서명"의 종말
검증된 Discord 공지가 지갑을 비울 때, 누구를 신뢰할 수 있을까요? 답은: 플랫폼이 아닌 코드입니다.
Miguel Treviño•
TL;DR:
- The Threat: Attackers are seizing control of verified Discord announcement channels to trick loyal users into signing malicious transactions.
- The Vulnerability: "Blind Signing"—where users approve complex hex strings in a hurry (FOMO)—has become a primary vector for wallet draining.
- The Pattern: Community trust is weaponized; the "verified source" bypasses standard user caution.
- The Defense: Zelf breaks this cycle with Intent Verification—requiring a deliberate biometric action via its stand-alone mobile app, preventing accidental "one-click" drains.
The pattern is becoming depressingly familiar.
- A popular NFT project or protocol has its Discord server compromised.
- A hacker posts a "SURPRISE MINT!" link in the official
#announcementschannel. - Thousands of loyal users verify the source, click the link, and sign a transaction.
- Wallet Drained.
As highlighted by FlakySpecial, this just happened again, bypassing the standard mental firewalls of experienced users because the "source" was verified.
The Blind Signing Problem
The root cause isn't just Discord security; it's Blind Signing.
When you use a browser extension wallet like MetaMask, you are often presented with a confusing hex string or a vague "Set Approval For All" request. In the heat of the moment (FOMO), users click "Confirm" without realizing they are signing a death warrant for their assets.
Friction is a Feature
Zelf introduces a necessary layer of friction that saves you from yourself.
- Intent Verification: Zelf doesn't just ask for a click. Because it uses ZK Face Proofs, the act of signing requires a deliberate, biometric action. You have to look at your phone.
- Decoupled from Browser: Zelf Wallet is a standalone mobile app, not a browser extension. A malicious link in Discord can't automatically pop up a transaction window in your Zelf app in the same seamless (and dangerous) way. You must initiate the connection via WalletConnect or a QR code, giving you a crucial moment to pause and think: "Is this real?"
- Smart Parsing: Our goal is to translate
0x...into human-readable "You are giving access to ALL your USDT."
We can't fix Discord. But we can fix the tool you use to interact with it.