Discord Exploits: How To stay Safe As A Server Owner

A common scam steals users' Discord tokens, allowing scammers to take control of their accounts. Here's how to avoid it.

Discord Exploits

Yesterday, Ruby.Exchange's Discord server was affected by a security incident. The account of one of the admins was compromised and announcements were posted about a fake airdrop. Community members were asked to go to a fake Ruby website, where they were required to connect their wallets—which would likely then have been drained.

However, thanks to the fast action taken by community members and the Ruby team, no funds were lost and no lasting damage was done.

But how did this happen in the first place—and what can Discord server owners do to protect themselves?

Discord Token Theft

The scam is a common one in the crypto space, and exploits the way Discord operates. It essentially works the same way every time.

Potential victims are contacted by representatives from a fake project—often "employees" from well-known organizations in the crypto space, or new projects with a tempting offer of one kind or another.

Scam text screenshot

The hook might be an investment opportunity, the chance of some publicity, or—very often—the offer of a well-paying job.

Scam introduction screenshot

Ultimately, whatever the lure is, the next part of the process is always the same. After a short chat to establish interest, the "employee" sends a link to the supposed Discord server, where you have to verify yourself. Verifications are quite normal nowadays and do not arouse suspicion at first.

Scam invite screenshot

The fake servers are typically relatively well designed, but users won't have channel permissions until they "verify" themselves. For verification, the scammers also fake well-known bots such as Dyno, Carlbot, CaptchaBot, and InviteTracker.

The victim is familiar with the process, and has a good incentive to verify their account. However, the "verification" is where the exploit takes place. Often it will lead them to an external website (which is of course fake as well).

Fake verification text screenshot

The fake website extracts the victim's Discord token, allowing the scammers to gain control of their account, including its permissions (e.g. admin, mod).

Another variation is that a “verification bot” (which isn't a bot at all) asks the user to verify themselves.

Fake verification bot screenshot

Once the scammer has control of the account, they can use it to post links in your Discord for fake offers, giveaways, etc, which will lead your users to other sites that will compromise their wallets.

What Should You Do If It Already Happened?

As a Discord Owner, if this happens to one of your team members, you should act quickly:

  1. Immediately revoke "View Channel" permission for all community members/roles for the channel(s) on which fake announcements have been posted. That stops users from being able to see and click on the links, buying time while you fix the problem.
  2. Use Telegram or another platform to get in touch with your admins. They need to check if they have access to their Discord account. This way, you may be able to find out which account has been compromised (the compromised admin probably won't have access to their account).
  3. If you can't work out which account has been compromised quickly, temporarily ban one team account (or remove admin permissions) after the other until the announcements stop.
  4. Get the compromised user to change their password. This also changes the Discord token, so the scammers will lose their access.

Keep Your Owner Account Clean

The action list above works only if your owner account is safe. If the owner account is compromised, however, the scammers can directly transfer ownership to another account and you can't do anything about it. This is the worst case scenario, and your whole Discord server may be lost.

It follows that your owner account must be 100% secured. To ensure this, use a dedicated account, just for that. Aside from using it for administrating your project's Discord, you should not do anything else with that account. Its sole purpose is to create the server and recover it if there is ever a problem. Use 2FA, of course, and don't log into it unless you have to. Don't even reveal the name to regular users. This account should be yours and yours alone: This role should not be outsourced to anyone.

Basic Precautions

Aside from this, there are some standard precautions that you (and other users) can take to improve your Discord security.

  • Always use 2FA
  • Use a unique, complex password and change it if you think there is any risk that it has been compromised
  • Regularly check the "Authorized Apps" in your own user settings and revoke permissions which are not needed.
  • Always look critically at invitations and DMs, especially ones that seem too good to be true (would CoinTelegraph really be writing to you out of the blue?).
  • Check if the project in question actually has a Discord server—many organisations don't.
  • If there is a Discord server, join it directly with the link provided on their website, not using the link you've been sent via DM. You can then ask the admins for more information.

Don't forget to warn your members. This is a very common scam, and due to the way Discord works there's little you can do to mitigate it beyond being skeptical of offers and cautious about clicking on links.

Subscribe to our newsletter and follow us on Twitter.

Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to REX Wire.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.