Discord attack & how to prepare.

Discord attack, they happen unexpectedly. Through the years, we’ve seen Discord take prominence in the way project supporters communicate. A space that was once ruled almost exclusively by Telegram is now more or less evenly shared between both platforms. The advent of booming NFT communities have pushed Discord into the limelight, which is now pretty much mandatory to use.

Unfortunately, scammers followed this trend too. They have proved to be extra creative on this new platform, harnessing its immense power and misusing it…

It’s not uncommon to see news of another Discord attack within the crypto space, some with such catastrophic consequences that even mainstream media reports about them.

What do Discord attacks target?

Scammers target keys – opening the doors to an account or bot with elevated privileges is their main goal.

In this blog post we will go through some of the most well known discord attack vectors that these bad actors employ.

Scam OAuth

A “well intentioned” community member recommends you a security bot that is really easy to set up for your community! Just add it to the server, give it admin privileges and off you go…

You look into the users history. He has been around for some time, helping answer the community. You then look into a bot. The name is familiar, you’ve seen it before while setting up your server but delayed implementation given the configuration complexity. You’re led to believe it is safe, given it’s “Bot” badge, and that it’s now easier to configure given the very few steps you had to go through.

What you did not notice was, although the bot you were given did have the “Bot” badge, it was not a verified Bot. There is no verification checkmark… In fact, you are directed to a phishing website, identical to the original. Be sure to check for all this before adding a bot to your server. And another clue is to check the creation date – scam bots usually are new!

QR Code verification

You join a server for a new project and, as with any well configured server, you’re requested to verify yourself as a human user. In this instance you are faced with a prompt to verify your account through a log in QR code…

You scan it, and no verification happens, making you wonder what’s wrong. While you’re doing so, a scammer now has full access to your account and can fiddle with any server you have elevated permissions on!

Never scan QR codes unless you are trying to log in on the official Discord apps. Any other usage for login QR codes under the guise of verifying yourself to access a server is malicious, and immediately gives the keys to your account to the scammers.

Screenshares

You’re having some problems configuring your server and/or you’re missing a key part in the configuration that’s publicly facing. A seemingly helpful community members sees this and offers help via video call so he can see what the problem is and point you in the right direction.

This should be an immediate red flag. This person might request you open the browser’s console while on Discord just to copy the key for your account. Request professional help from an auditing firm or your vendor to get those issues resolved.

Bookmark hacks

After joining a new server, you’re prompted to drag a bookmark to your browser’s toolbar in order to verify. As soon as you do, you give the attacker your account’s keys through a JavaScript hack!

Never bookmark anything for any reason – verification will be straightforward and either done directly on Discord on or the bot’s legit website.

Other Discord attacks

These are just a few of the more common discord attacks employed by hackers in order to gain access to your keys. Being protected from these tactics requires a sharp eye, and a good understanding of configuring Discord servers. Through our experience configuring new servers for clients and auditing existing ones we’ve learned methods that avoid all these pitfalls. At AmaZix, we configure servers in a way that won’t allow a hacker to get permissions, along with a panic button with which we can press if an emergency were to happen.

Book a consultation call to be eligible for a free Discord audit here.