The Slack channels of many ethereum projects have recently been besieged by scammers who use official looking accounts to send a direct message to all Slack participants, like the one screenshoted below:
The thieves direct unsuspecting victims to a fake MyEtherWallet webpage which looks very much identical to the official and very genuine ethereum online wallet.
Once users share their private keys or other relevant information, the hackers instantly sweep the address, with the loot now apparently on the move to Bittrex, according to reports.
Boyan Balinov, who says he moderates one of the affected Slacks, alleged the thieves were Russians because their time zone shows as Moscow.
“I just banned 2 accounts (15 min ago) on another Slack,” he told us two days ago before adding that “it’s the same group over and over again.”
On Slack, however, you can’t really ban anyone as they’ll just get another e-mail address and a VPN, receive an auto-invite in a different official looking name, then proceed to direct message everyone in a phishing expedition trying to get unsuspecting individuals to give them their private keys.
“In the FirstBlood Slack it was @firstbloodtoken. In SingularDTV, it was singulardtvtoken. Now here it’s golem-ico. Same text,” Balinov said before adding that kicking or banning them from Slack is pointless.
“Slack does not offer much security as this was never meant for public forums,” he says, after suggesting they “might need to stop the auto invite for Slacks.”
Shortly after, a number of projects, including SingularDTV, announced they’re doing just that. Publicly stating they are temporarily disabling their Slack auto invite.
Slack, however, has become a very convenient way of keeping up-to-date with projects, allowing you to even directly communicate with the project developers.
It has a number of advantages over alternatives, with the main one being the fact that it stores messages publicly sent or received while you were off-line, so you can just scroll up to keep updated.
But the auto-invite clearly allows for easy abuse of the public space, where many daily interact, with Golem’s Slack alone showing it has some 7,000 users.
One solution might be the WeChat approach. Instead of an auto-invite, someone who is already in the group needs to send you an invite.
Although that could potentially be abused too, it would be a lot more difficult, but on the other hand, the referral invite method may be too inefficient and restrictive.
Another option might be to add some form of identification by perhaps linking sign-ups to Twitter or Facebook accounts, but that has its own problems.
“The struggle is real,” says one Slack participant as some ethereum projects are now facing a very difficult dilemma regarding their public Slack channels.
In the circumstances, it might perhaps be up to Slack itself to intervene and maybe allow for the disabling of direct messages while offering the option of a referral invite method, or come up with some other solution.