This past month, a series of Discord communities were hacked after administrators were tricked into running malicious JavaScript code disguised as a web browser bookmark.

What we know

Administrators say that several of the attacks started with an interview request from someone posing as a reporter for a cryptocurrency focused news outlet. Administrators who took the bait received a link to a Discord server. The link appeared related to the official Discord crypto news site. When clicked, the link took admins to a page asking them to verify their identity.

The details…

As revealed in this YouTube clip, the aforementioned verification process involved dragging a button from the fake crypto news Discord server to the bookmarks bar on a victim’s browser. At that point, admins were instructed to return to discord.com in order to click on the new bookmark to complete the identity verification process.

The bookmark is actually a snippet of JavaScript that quietly obtains a user’s Discord token and funnels it to the scammer’s website. Attackers can then load the stolen tokens into their own browser sessions, and post announcements in the targeted Discord. Announcements might be related to an exclusive “aidrdop,” an NFT event or another seemingly high-value opportunity.

What’s next…

In the next stage of this attack, unsuspecting Discord members click on the ‘high-value opportunity’ link provided by the compromised administrator account. Members are then asked to connect a crypto wallet to the scammer’s site. Once on the scammer’s site, the site requests unlimited spend approvals on tokens and then drains the balance of profitable accounts.

Should anyone in the compromised Discord channel notice the scam and write anything about it, they are promptly banned from the community. Their messages are deleted by the compromised admin account.

Ocean Protocol

According to Krebs on Security, an Ocean Protocol employee fell victim to this attack. On May 22nd, the Ocean Protocol Discord server admin clicked on a link that had been distributed via private message from a community member. The administrator was asked to verify identity by dragging the link to the web browser’s bookmarks bar. Although multi-factor authentication was enabled, the employee’s account was compromised. As a means of moving forward without detection, scammers waited until midnight in the victim’s time zone to use the account, reducing the probability of detection.

Subsequently, the scammers put forth a message where they appeared to be launching a new Ocean giveaway. The victim eventually reached out to the operator of the server hosting the channel and the issue was resolved.


Discord admin accounts, especially within cryptocurrency-focused communities, have become prime targets for cyber scammers. Via deceptive strategies, like the one outlined above, scammers can gain access to Discord tokens, enabling them to engage in fraudulent activities. Discord admins and users should exercise caution and keep an eye out for these types of cyber attacks.

For more insights into how to keep cyber safe on social media, see this CyberTalk.org whitepaper. Don’t miss out on the latest trends and insights — please subscribe to the CyberTalk.org newsletter.