For the last year, I have been working at Taostats, a blockchain explorer for Bittensor ($TAO). Part of my role has been building and supporting a Discord community of both very technical and also very non-technical users. I have learned a lot about running Discord communities, and here are some of my lessons learned.

Crypto Discords

Much of what I have to share here will mostly relate to crypto discords, where scammers lie in wait for users to ask support questions, and then they pounce to try to steal wallet information. Let’s look at the ways we’ve blocked these folks.

Keeping the bad guys out

We use Sledgehammer to verify new users. Users cannot send a message until they prove theu are human through a CAPTCHA like test:

We also only want accounts that have a verified phone number in their account.

But these two steps alone don’t keep out the scammers.

Role edits

For any role that a user can have, we need to pull permissions: no **private** threads (we had hackers creating threads that the mods could not see to try to scam users). No embedded links. This has to hold for ALL roles that the public can choose. If you miss one, the scammers will find it and exploit it.

(This does mean that some GIF tools do not work – and that sucks, our community has an excellent GIF game.)

We accidentally allowed private threads for one of our language roles – we could not figure out how the scammers were still creating private threads… Until we scouted the setting in the Italian role.

Links

Scammers love to post links to places where they can have conversations outside the eyes of the public (see private threads). Without private threads, they begin posting URLs to scammer discords. So we began blocking URLs (that was a losing battle).

So we started to block keywords “http” and “https” and that blocked *some* of the scammers…. but not all of them.

It turns out Discord “helpfully” clears whitespace from URLs. So this would work as a link.

Yeah – that’s a mess. So we had to build regexes to block every combination of http with various numbers of spaces after every letter. And unicode in the URL? Definitely up to no good. These guys get a 1 week timeout so that we can wake up and ban them.

Aside to any Discord employees who might be reading this – “fixing” URLs to render correctly like this is stupid. You should stop doing that. It will stop MANY MANY scammers in their tracks.

What the scammers do

Anything to get people out of the public eye. If you start chatting in a DM – they have you where they want you.

What do you think? This DM is legit? This guy REALLY wants to help you? Sadly, people CAN and DO fall for these sorts of messages and get scammed. So we created block lists of common terms (and then common misspellings of those terms “sumbit a ticket”, etc. Keeping them from sending these sorts of “hey, Im here to help” type messages.

What are other ways to get into someone’s DMs? Ahh – pretend to be a mod, or leader of the Discord:

Have MOD as their avatar:

(You’d think shithead03244 would be a terrible name for a mod… and you would be correct).

Maybe they’ll attempt to impersonate a mod:

Cousin Dourg:

Does this stop them? Heck no. Once banned – they hang around outside the Discord and have an alt account listening. Then they pounce in with a DM offering help.

So, even with all of this prevention, we constantly have to warn those asking questions that anyone in their DMs is up to no good.

Sometimes, even replying in 3 minutes is not enough. This poor guy got scammed.

If you are running a community Discord, especially a Discord in crypto, I hope some of these tips help you filter out the scammers and the bad actors.