Crypto Discord Communities Targeted by Malicious Bookmarks & JavaScript

Discord admins, beware: scammers are hijacking accounts and stealing cryptocurrency funds by using malicious bookmarks in a new and tricky attack.

Several crypto-based Discord communities, including Aura Network, MetrixCoin, and Nahmii, have already fallen victim to the attack.

Discord communities have become prime targets for cybercriminals, with frequent attacks being reported on this platform. In a recent wave of attacks, several crypto-based Discord communities, including Aura Network, MetrixCoin, and Nahmii, have fallen victim.

While hackers typically target Discord communities focused on cryptocurrency discussions, this time they are specifically targeting admin accounts belonging to these groups.

Metroids, while we experienced a fake airdrop site being promoted while our Discord was hacked, we have also come to learn there are potential fake sites trying to scam our community. and are our legit sites for info.$MRX #Metrix

— Metrix (@MetrixCoin) May 9, 2023

Attack Method:

According to Brian Krebs from KrebsOnSecurity, there has been a significant increase in attacks aimed at compromising admin accounts on Discord. Attackers are attempting to exploit these accounts by executing malicious JavaScript code. To trick users into executing the code, it is disguised as a seemingly harmless browser bookmark. A YouTube video has been released to demonstrate how this attack unfolds.

Deceptive Strategy:

The attackers employ a deceptive strategy by inserting JavaScript into browser bookmarks using the dragging feature on web pages. Discord admins have reported receiving interview requests from individuals posing as reporters from crypto-news outlets.

Once they agree to the interview, the admins are redirected to a fake Discord server that mimics the news outlet. They are then asked to verify their identity by dragging a button from the server to their browser’s bookmarks bar. The victims believe this action is part of the verification process and subsequently return to and click on the new bookmark.

Malicious JavaScript Snippet:

Unbeknownst to the victims, the bookmark is a cleverly designed JavaScript snippet. This snippet covertly extracts the victim’s Discord token and sends it to the attacker’s website.

The attacker then loads the token into their browser session and proceeds to announce late-night exclusive airdrops or NFT mint events within the targeted Discord group. These announcements are intended to lure innocent members, who trust the legitimacy of the messages.

Victims are then instructed to connect their crypto wallets to a web address provided by the attacker and grant unlimited spend approvals on their tokens. Consequently, the attacker successfully drains funds from these compromised accounts. To cover their tracks, the attacker promptly deletes the messages and bans users who attempt to expose the scam.

Token Functionality and Aftermath:

The stolen token remains functional exclusively for the attacker until the original owner either log out or changes their credentials. This ensures that the attacker can exploit the hijacked account without arousing suspicion.

According to Krebs’ blog post, Nicholas Scavuzzo, an associate of Ocean Protocol, fell victim to this attack. On May 22, the admin of Ocean Protocol’s Discord server clicked on a link sent via direct message from a community member. The admin was then asked to verify their identity by dragging a link to their web browser’s bookmarks bar. Despite having enabled multi-factor authentication (MFA), Scavuzzo’s account was hijacked.

The attackers waited until midnight in Scavuzzo’s timezone to use the account, reducing the chances of immediate suspicion. They subsequently sent an unauthorized message announcing a new Ocean airdrop. Eventually, Scavuzzo contacted the server’s operator who hosted the channel, and the settings were reverted to normal.


Discord admin accounts within crypto-focused communities have become prime targets for scammers utilizing malicious JavaScript bookmarks. The attackers exploit the trust of Discord admins by tricking them into executing the code disguised as innocent browser bookmarks.

Through this deceptive strategy, the scammers gain access to the victims’ Discord tokens, enabling them to carry out fraudulent activities, such as draining funds from compromised accounts. It is crucial for Discord users, especially admins, to exercise caution and be vigilant against such attacks.

  1. New malware targets Discord users to steal personal data
  2. Teen “Hackers” on Discord Selling Malware for Quick Cash
  3. Google Ads Malware Wipes NFT Influencer’s Crypto Wallet
  4. Gaming Firms, Community Members Hit by Dark Frost Botnet
  5. Malicious npm Packages Used in Siphoning Off Discord Tokens
Related Posts