Adult gaming dev loses control of storefronts in sophisticated Discord attack
Phishing for indie gaming revenue in Naughty List News #71
This week’s edition of Naughty List News was sponsored by Paradise Lust, the erotic dating sim about a stranded pleasure yacht full of beauty pageant contestants looking for a way home.
Phishing attacks on Discord have seen a significant upswing in recent months. Specifically, indie game developers are being targeted by what appears to be a sophisticated social engineering attack. When developers fall victim to this attack, their Discord account is turned into a vector for infecting their friends.
Devilish Domina recently fell prey to such an attack. I spoke with her to figure out what happened and to hopefully warn others. Domina temporarily lost control of some of her storefronts because of the attack.
Who is Devilish Domina?
Devilish Domina works with her husband Deviant Dev on the virtual reality game Dominatrix Simulator. She often gives feedback on the projects of other developers in the tight-knit community of indie game development. So when a gamedev contact asked her on Discord to look at a project from a “friend,” she wasn’t immediately suspicious. But she did have Deviant inspect the files first, just to make sure.
Deviant didn’t spot anything immediately amiss. Domina’s contact warned that the project might be broken, which is why they were keen to get another pair of eyes on it. Deviant indeed spotted a database file missing, which would explain the problems this “friend” was having with their “game.”
Assured by this explanation from her husband, Domina ran the executable on her machine. The trap was sprung, and the attacker immediately took control of her Discord account.
A dangerous lapse in security
Domina did not have two-factor authentication (2FA) enabled on her Discord account. This lapse of account security meant that the attacker was able to lock Domina out of her account by first changing the associated email address and then requesting a password reset. The attacker would not have been able to do this with 2FA enabled; they would have needed physical access to her phone as well.
But Domina’s troubles did not end with her Discord account getting hacked. The attacker was able to gain access to some of her company’s store pages as well.
Domina says she is not sure exactly what happened but the attacker infiltrated her game’s Patreon and itch.io pages too. She says what’s weird about that is that these company accounts are associated with her husband, who as far as she knows, was not compromised by this attack. Her suspicion is that the attack was related to Discord integrations with both storefronts but she has no hard evidence to back that up.
Luckily, the attacker was not able to take over her company’s Steam account and they failed to compromise her Google Drive as well. This is good news because Google Drive is where the two-person company stores its sensitive documentation.
But with access to some of her game’s store pages, the attacker was able to upload a compromised version of Dominatrix Simulator. These versions have thankfully now been wiped and Domina strongly urges people to download the game again from itch.io or Patreon if you’ve done so recently.
Domina suspects that the attacker was looking to siphon away her company’s earnings from the different store pages. But luckily she was able to put a stop to that before the attacker could take more advantage of their access.
Some kind of resolution
When she was hacked, Domina reached out to Discord immediately to report it. She created a new Discord account with 2FA enabled and changed passwords everywhere she could. Domina was able to get in touch with a senior staff member at itch.io who was able to restore access to her game page quickly. Patreon also restored access within half a day of getting in touch with them. But both store pages were compromised for around 36 hours.
When the attacker lost control of the store pages, they lashed out. They took over Domina’s new Discord account as well, even though she now had 2FA enabled. This proved to Domina that the attacker had control of her entire machine and she realized that she had to reset the machine to factory defaults to stop it. Domina says she hasn’t seen any new activity from the attacker since then.
But the attacker also vandalized her company’s Discord server, renaming and deleting channels, and wiping out years of community posts in the process. Domina and Deviant were able to restore channels and settings thanks to a team of volunteers but the server’s history is likely lost forever.
Domina had this to say about the whole situation: “It was all a lot of chaos for a while there. Nothing like this, but regular pirating, has ever happened before.”
What you can do
Discord has added a warning dialog when you click a download link in a direct message from another user. If you’re a developer receiving a request for help from a contact, you should use the dialog as a small pause to reflect:
How well do I know this person?
Am I sure they’ve not been compromised already?
Can they explain their issues in a voice chat instead?
Furthermore, you should make sure to add 2FA authentication to your Discord account. This will at least stop any attacker from using your social standing to attack others.
And lastly, please keep in mind that we’re all human. Domina made a mistake that I could have easily made myself. And if it can happen to her, it can happen to anyone.
Stay safe out there!
Writing Wrap-Up 📖
Succubus Acamedia is now available on DLSite. Defeat the succubi who invest your academy in a game too hot for Steam!
Romantic comedy Erovoice is now available on MangaGamer. An audio fetishist becomes a sound engineer at a voice acting company…
Action RPG Chevalier Historie was released on Steam. Crawl through dungeons and defeat enemies as a knightess to ultimately save the princess!
OpRainfall reviewed Lonely Catgirl Is The Purrfect Pussy. Save a shivering catgirl from the rain in this sweet and lovely visual novel.
Evenicle 2 was released on MangaGamer and JUST USA. As noted before in this newsletter, Steam does not want to sell the AliceSoft latest on its storefront.
Studio Élan released Heart of the Woods on PlayStation 4 & 5. Yuri stories? On my GameBox? It’s more likely than you think!
A free update to Haven adds same-sex relationships. The small indie team hopes that many players will feel better represented in their game!
Paradise Project stops distributing several games. No real reason was given except for a “change in corporate policy” at the publisher.
The “Elden Cockring” syncs Elden Ring with your vibrator. Now you can get truly intimate with the latest FromSoft title.
Ukrainian creators are using their OnlyFans as an unexpected war journal. Sex workers are trapped in the conflict too and need help more than ever.
Cheeky chuckle 🤭
Artist spotlight 💡
Thanks for reading this far!
If you want to help me compile the newsletter, feel free to poke me on Twitter.
Until next time!
-Mr. Hands