PeopleDAO hacked via Google Sheets, $120,000 worth of ether stolen

Quick Take

  • A PeopleDAO team member failed to lock a sensitive payout document, leading to the attack.
  • The hacker has been offered a 10% bounty to return the funds.

PeopleDAO, a group formed to buy a copy of the U.S. Constitution, has lost 76.5 ETH ($120,000) to a social engineering hack on March 6 that targeted the project’s monthly contributor payout form on Google Sheets.

A combination of errors led to the theft, according to the project team. First, the accounting lead mistakenly shared a link to the payout form with edit access to a public channel on the project’s Discord Server. The hacker was able to use this edit access on the form to insert their address and a 76.5 ETH payment. The hacker then made this row invisible on the form.

This hidden row on the form escaped the team’s notice during rechecks. It also was not picked up by the multi-signature signers who executed the transfers after data from the form had been sent to the airdrop tool on Safe. As such, the attacker’s wallet received the 76.5 ETH payment. The hacker subsequently transferred the ether to two centralized exchanges — HitBTC and Binance — with 69.2 ETH ($110,000) going to the former and 7.3 ETH to the latter.

PeopleDAO says it is working with blockchain security experts like ZachXBT and SlowMist to track the hacker. The team says it also reported the matter to U.S. law enforcement agencies as well as the exchanges used by the hacker. PeopleDAO offered a 10% white hat bounty to the hacker should they return the funds. The hacker has not responded to this offer as of the time of reporting.

THE SCOOP

Keep up with the latest news, trends, charts and views on crypto and DeFi with a new biweekly newsletter from The Block's Frank Chaparro

By signing-up you agree to our Terms of Service and Privacy Policy
By signing-up you agree to our Terms of Service and Privacy Policy

The team said it's taking steps to avoid similar mishaps in the future. “We are improving our accounting and multisig education," the team told The Block. “We are embracing tools built on Safe that improve signer experience.”

PeopleDAO says it is planning to host demo sessions with team members about how to use these tools to prevent a repeat occurrence.


© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

About Author

Osato is a news reporter at The Block as part of the crypto ecosystems team that focuses on DAO governance, staking, blockchain layers, and DeFi. He was previously a news reporter at Cointelegraph. Based in Lagos, Nigeria, he enjoys crosswords, poker, and attempting to beat his Scrabble high score. Follow him on Twitter at @OsatoNomayo.

Editor

To contact the editor of this story:
Larry DiTore at
[email protected]