Comment by Ancapistani

Hey, this one got me too!

The DM came from an old gaming friend of mine that actually was a developer. I’d known him for years and had playtested for him before - though it was years prior. Literally nothing about it seemed fishy.

As soon as the game “crashed on load” and Discord took its focus, I realized what had happened. I managed to change my Discord password, revoke all session tokens, and lock them out while they were buying things from the Discord store. Then I went through, changed my critical passwords, froze all the cards that are in my Bitwarden vault except one with a very low limit I kept alive as a canary, and started my post-mortem.

Turns out the malware did in fact attempt to exfil my Bitwarden vault. Thankfully, I have it configured to remain locked always and to require a security token to use, so they didn’t get anything unencrypted.

Between my initial response, analysis, dealing with changing passwords, and wiping my desktop out of an abundance of caution, I lost a total of about 12 hours. The attacker managed to buy about $60 of stuff on Discord before I shut them down there. Oh, and I got extortion messages from various accounts claiming to be them for months.

One thing that did surprise me was that while I was revoking access, they were trying to convince me they had all my credentials. They sent a screenshot logged in to my Autodesk account, of all things. That freaked me out, but I quickly realized that that particular email/password had been leaked and that the attacker was using it to try to convince me they had much more damaging information than they really did.