Jacob H.

📌 Megathread of my bots and other services 📌 I’m both a Discord security auditor and a Discord bot developer, use this thread to find links to everything I have to offer!

@NashSevereWx Due to the severe low temps tonight, should people who haven’t had power since yesterday morning consider turning their water off and draining their pipes, if they can, to lower the likelihood of their pipes freezing & bursting?

Cold Weather Advisory thru 6p Today, then Extreme Cold Warning from 6p thru noon Tuesday. Continue to check in on neighbors and family, especially those that may be elderly or have medical issues. New blog here nashvillesevereweather.com/2026/01/26/dan…

🚨🚨🚨 Twitter Phishing Warning 🚨🚨🚨 If your marketing intern just received this email, your project's Twitter account is about to be compromised. They will lock you out and then spam a fake CA for days. Here's how the scam works & how to protect against it:

@egtaylor34 @NashSevereWx @Ascend_amp Actually, based on the direction the storm's moving, there's a decent chance they'll have to reschedule completely.

@egtaylor34 @NashSevereWx @Ascend_amp I'm in the touring industry and based on the lightning map I'm looking at right now, the earliest I could see the show resuming is about 9:30pm. Maybe not even until 10/10:30pm, depending on how long lightning keeps striking.

Hey @NashSevereWx , we are being evacuated from @Ascend_amp . Show was supposed to start at 8 pm. I know you don’t make concert calls, but we have a babysitter and need some sort of guidance. Hold an hour or so for the show or head home?

⚠️ DISCORD SECURITY PSA ⚠️ A new token grabbing technique is going around, revolving around GitHub & soliciting dev help. The attacker will direct you to a GH repo with malicious code, which WILL STEAL ALL CREDS from your browser cache. Verify/block DMs: blog.pnly.io/our-tools-for-…

@Plumferno Ouch 😬

Friends, loved ones, and fellow degens - I call you here to witness what I now consider to be The Stupidest Thing I Have Read All Year At this point I would just say "delete all of your internet accounts and get a rotary dial phone" because O M F G HOW. HOWWWWW?!

I have been keeping very busy this month! I just finished helping @MagicEden do a full top to bottom sweep of their server, locking it down while still enabling their team to function in the Discord. Just in time for the introduction of their new wallet! It is vitally important to keep your server hygiene up to date, if a lot of things changed since your last server audit, it might be worth considering a new sweep. This is going to be something I'm checking in on with some of my past clients, since some of my first audits happened over two years ago.

@Plumferno Yeah wait I was using purple too! Wtf!

My profile colors are broken right now and I hate it I usually keep my profile here set to 'purple', and my buttons and site text and everything else is purple IT'S BRIGHT BLUE RIGHT NOW, reeeeeee Even the background is messed up, it's "dim" instead of dark mode/lights out Doesn't matter what I set it to, it goes right back to stupid blue and dim every time I refresh. 😭😭😭 ARGH and I just noticed all my Most Used emojis are wiped too REEEEEEEEEE

@AnoNakamigo Anyone can pay for a Hashflag, this bot isn’t running anymore but it has a history of a bunch of Hashflags: x.com/hashflagarchive

Since when does #web3 have an automatic logo next to it and what does it mean? 👀

@Plumferno Anyone can pay for a Hashflag, this bot isn’t running anymore but it has a history of a bunch of Hashflags: x.com/hashflagarchive

...well now, that's interesting #Web3 and #Web3gaming both do 👀

They literally sim swapped the SEC page, y'all This is legit, no ETF yet, grab your bags

As we finish up getting these apes back to their rightful owners, I just want to give a huge shoutout to the team for working overtime this weekend to come together on this. The DAO is comprised of dozens of individuals, and are all here to further the mission of web3 security awareness. 🙏 Over the past couple days, we've had a lot of folks reach out asking things like "can you tell us one security tip everyone can follow to make sure this never happens to them?". And the answer, unfortunately, is well... not really. It turns out being your own bank is complicated. It isn't something that a quick soundbite or tweet thread is likely going to get you prepared for. The ETH devs have worked hard to create digestible abstraction layers for users, but things aren't always as straight forward as they may seem. But the reality is, understanding a bit how things work under the hood is (unforunately) still important to surviving web3. In the next few years, this will definitely change, as the amount of UI/UX improvements made in 2023 alone is groundbreaking. But we still have a ways to go! We've partnered with over 80+ NFT projects in the last year and a half, bringing high quality, free, instructor led training, in an endeavor to help foster a culture of security in web3. But are so many ways our community leaders can help accelerate this process. And we need their help. They can start by: - Giving Whitelists for security educated folks - Offer security modules to complete before getting full access to the community - Create or adopt primitives in your ecosystem (like wallet delegation, web3 security extensions, or other technical primitives like using ERC-721x) - Train mods/community managers to be security champions - Host and offer special POAPs/bonuses to those completing classes or security events It is really in community's best interest to do this. We've run the numbers, and we promise it is. Our DMs are open to work or brainstorm with community leaders on this topic, or to provide feedback on your plans to empower and protect your own community. Web3 Strong Together. 🫡

🛠️ Doing a Discord audit is hard. 🛠️ Discord servers can quickly turn into giant unmanageable jumbles and even the best Discord auditors have horror stories of certain servers just being too much. The only way to know if your Discord audit was not good, is when it fails and a server gets compromised. That is obviously not a great outcome. In terms of a feedback loop as well, someone can avoid having their servers compromised purely out of luck, and feel like they give the best audits in the world, until they start falling like dominos. That is why we made a better feedback loop at @Server_Forge. For free, every member of ServerForge can submit an audit and have like 7 expert auditors all review it. Want to know what happens when most SF members submit? They trigger an instant fail option. But this is good, we identify a major issue with their setup and tell them WHY. This improves their auditing game immensely and they can resubmit. Once they pass they get to join the ranks of the ServerForge Approved Auditors. This is a free service, that anyone can participate in, and we actively try and prod people in the space providing Discord audits towards doing this. Seriously, would you prefer a Discord auditor with a feedback loop of instant feedback and corrections, or one where they learn over months or years by having their client's servers fail.

Loopring's official Twitter compromised. I literally spam the steps to protect your project and no one reads it. If you are a crypto company and can't secure your X account in 2024: don't be in crypto. You won't make it.

🚨 Your project can get hacked even with an audit 🚨 This applies to both smart contract audits and Discord server audits. An audit is not a magic bullet for all problems that can arise in the future. It is a review of the current scope, and implementation of best practices. New attacks, new exploits, can all expose a project or a server to new risks. If you get an audit done but don't follow the guidance on how to safely change things, you further open yourself up to risk. There is no effective way to force a project to adhere to what an audit recommends. It is on the project after the fact to keep their server or smart contract up to audit quality. Teams can't consider an audit a one-off expense. They need to constantly be thinking about and investing in security. There should be a team member in charge of security and making sure the entire project is staying safe.

If your project has a Discord server and the server owner or admins are not on a cold account then you are being negligent. There are still far too many Discord server compromises happening in 2023. The majority of the time the project shifts blame to users when the entire compromise was extremely preventable to begin with. h/t @NFTherder @Jon_HQ for these graphics

Today's compromised account pushing fake/phishing links is @elliotrades 🚨 DO NOT ENGAGE. No clicky!

Stellar's main Twitter account has been compromised. This one is going to hurt, around 750k followers. Don't click links, be safe folks. h/t @Plumferno

Here we go again… @GutterCatGang appear to have been compromised, account is posting fake links and replies are off. DO NOT CLICK ON THIS MESS, I STG

One thing most newer auditors miss is limiting bot permissions. Bot compromises DO occur. Do you really want your server to have a drainer link posted because you left admin perms on 'Dank Memer' bot? Make sure you review the bots on your server, and what permissions they have.