In the recent wave of cybersecurity threats, Discord communities dedicated to cryptocurrency discussions have fallen prey to crafty hackers. Over the past month, the platform has seen numerous admin accounts compromised, tricked into executing malicious Javascript code disguised as innocuous browser bookmarks.
Deceptive ploy takes shape
The elaborate attack begins with the insertion of malicious Javascript into a user’s browser bookmarks by dragging a web page component. Victims, often administrators of cryptocurrency-focused Discord groups, reported receiving interview requests from individuals posing as reporters for crypto-news outlets. Accepting the bait, they were directed to an alleged official Discord server of the supposed news site for identity verification.
As shown in a Youtube video, the victims were asked to drag a button from the fake news server to their web browser bookmarks bar as part of the verification process. They were then instructed to navigate back to discord.com and click the newly added bookmark.
Malicious bookmarks: A cybersecurity concern
In reality, the bookmark is a strategically crafted Javascript snippet that discretely extracts the user’s Discord token, sending it to the perpetrator’s website. The attacker can then load the stolen token into their browser session and, usually during late-night hours, post announcements about exclusive “airdrops” or “NFT mint events” in the targeted Discord, enticing other members.
Unsuspecting members, lured by these false opportunities, are tricked into connecting their crypto wallets to the scammer’s site. They are then prompted to grant unlimited spend approvals on their tokens, which allows the fraudster to drain any valuable accounts.
In the aftermath of the attack
The compromised admin account deletes any messages warning about the scam and bans those users who attempt to expose the scheme. Nicholas Scavuzzo, an associate at Ocean Protocol, recounted how their Discord server administrator’s account was hijacked through this method, leading to an unauthorized message about a new Ocean airdrop late at night.
Interestingly, the stolen token only remains functional for the attackers as long as the legitimate owner doesn’t log out or change their credentials. As Scavuzzo highlighted, the attackers also altered the server’s access controls and removed all core Ocean team members from the server in Ocean’s case. Fortunately, Scavuzzo managed to contact the server operator and revert the channel settings to normal.
An emerging pattern of cyber threats
Several other crypto-based Discord communities have reported similar attacks, including Aura Network, Nahmii, and MetrixCoin. These incidents shed light on the increasingly sophisticated methods being employed by cybercriminals to exploit vulnerabilities within social platforms and deceive users.
As users of Discord and other platforms, what’s your take on these emerging security threats? We encourage you to share your thoughts and experiences in the comments section below. Remember, your insights might help someone else stay safe online!
{{user}} {{datetime}}
{{text}}