How Discord hackers and scammers compromise your server
You received a Discord message from some weird-looking user who’s trying to be quite friendly by giving you free cryptocurrency. You say “hey, he seems to be a pretty nice guy”. You click on the link, it opens a website and you enter your information, but nothing really happens. You sleep over it and forget about it. Alas, you wake up in the morning to find that your Discord was hacked (and perhaps, even your crypto wallet). What exactly happened?
Discord hacking takes place in many shapes and forms. In this article, we’ll go through some of the ways people hack Discord servers thanks to the help and experience of our Community Managers. Moreover, we will give you some tips in order to keep your crypto and Web3 community safe on Discord.
How can someone steal your Discord token?
As can be seen in the recent story of Yuga Labs’s Bored Ape Yacht Club (BAYC) Discord server being compromised, Discord hacking can happen to the biggest of communities and projects. Before answering "How can someone steal your Discord token?" we need to understand what is a "Discord token?" or more accurately what is a "Discord account token?".
What is a Discord account token?
When you're logging in to Discord, and typing your username and password, you're actually not using that information to directly talk with Discord and use your account. Instead, you're using that username and password to get your account's actual key or password, also known as tokens.
This key or "token" is used by the application you're using to be able to talk with Discord on the behalf of your account and it's generally a string of characters. Something like this "OTMxOTc1NzUxNzY5NjgxOTYx.GKHAxT.9ThDqk0eeQYc4xdwnD45sl4mTOJRA61VN92jvQ".
This key or token is so important that when someone has access to it, they can talk with Discord on the behalf of your account without any email verifications, two-factor authentications, and so forth. This is because it's what your application uses in the background.
This "Super Important Key That Can Access To Everything Without Verifications" concept can feel like a "dumb, security hole in Discord and it shouldn't exist". However, without this, you would need to use your login information and verification information such as email code and two-factor authentication code for every action.
So, we understood that your account information is used to get your account's actual password or token and your application uses it on a daily basis in order to talk with Discord on the behalf of your account. But how can they get access to it? Should I get worried and be paranoid about it?
Discord tokens are a cousin of browser cookies
Yes, you should be careful about it, it's very important to not leak your account token, but it's as safe as cookies in your browser. Cookies are actually pretty similar to account tokens or used in similar ways. For example, when you're logging in to your account in your favorite social media platform and you check the "Remember Me" box, how does the social media platform remembers you when you close the browser and return back some time later? (spoiler: cookies)
When you log in, your web browser and the platform store a cookie for that "logging in" session you had with the social media platform. And when you close the browser, do something, come back and open that social media platform again, the browser gives the cookie associated with your old "logging in" session to the platform.
And the platform goes "Oh, the cookie that is given is the same as the cookie I stored – it should be legit then. Free pass mate!" In other words, it remembers you so you don't need to type your information again; it’s like you never left.
Would you say your cookies are unsafe? Well, if you’re a security person you would say "yes, there is a chance", but a normal user never thinks it's unsafe. Those cookies are stored locally in your browser and unless someone has access to your browser or computer, you're pretty safe. It's the same with Discord tokens. Unless you compromise your account in some ways (we'll get to this) they aren't able to get your Discord token as well.
"But I saw people stealing other people's tokens?" Well, they can steal your cookies too. Actually, it's a popular and very harmful way of hacking social media accounts. Since cookies are stored locally, if I had access to your computer, I could steal those cookies. And with those cookies, I could just use them and pretend "Hey X platform! I'm that user logged in, here is my cookie. Totally legit. Give me access." Ta-da! I now have access to your account without you even noticing. It didn't ask for any email verification and it didn't require any 2FA.
"Okay cookies are cool but can we get to the point, how do they steal Discord tokens?"
Types of Discord Hacks:
How do Discord hacks take place? Generally, through social engineering and exploiting the lack of awareness of the Discord users and server managers. They use all sorts of techniques but the main ones are phishing, self-bots (abusing the Discord API), account-crawlers and raiders, API hacking, and technical hacking.
The one obvious way to steal your token is through Discord phishing. Say you thought you were getting Free Nitro and typed your login information to a "scruffy but similar to Discord" website, but it was a case of phishing. When you’re phished, they use the information you provided them with to log in to your account and get the access token themselves.
The other way is executing some sort of code by compromising your PC, web browser, or Discord console to get that sweet "Discord account token" that is stored locally.
Self-bot is a normal Discord account that is automated and talks directly with the API of Discord instead of using the application like you and I do. Hence the name "self-bot", because you're using your account as a bot instead of using a "Bot Account".
In that way, they can do what every "Bot Account" on the platform can do, use Discord's bot-exclusive features. These include buttons, select menus, embeds, hyperlinks, and all sorts of cool things. With this, they generally create a pool of self-bots and use Discord's API to initiate attacks on users.
Account-crawlers and raiders
An account-crawler is like a web-crawler on the Internet. Instead of discovering new websites, account crawlers discover Discord accounts. They start with a compromised or hacked Discord account, use this account to reach as many Discord accounts as possible (either the friends of this account, from servers this account is in, etc.), hack the reached accounts and use the newly hacked accounts to repeat the process and grow indefinitely.
On the other hand, raiders are an army of malicious accounts that generally operate in 100, 200, 500, or 1000 members. They’re given a server or number of servers to attack and they initiate the attacks at the same time a.k.a raiding. So if you see a really weird spike in the logs of joined members and those joins are all in the same 1 to 2 minutes, it's very highly likely that you're being raided.
In terms of their attacks, they either collectively send DMs to the members of the server or they send malicious messages to every channel in the server to trick the person reading that channel. These are the two main types of attacks, but they can also get creative.
But, what do they do to trick the Discord users? (Spoiler: it involves abusing the API and the features of normal Bot accounts.)
SophosLabs also found that Discord is prone to “malware that leveraged Discord chatbot APIs for command and control, or to exfiltrate stolen information into private Discord servers or channels.” Normal users can't use the API and are limited to the application they’re using but malicious accounts use Discord's APIs to extend the abilities of a normal account. Such examples include:
- Tricking users into believing that a message is either from Discord because you can add buttons
- Embed messages and do all sorts of cool things through the API to imitate either the official messages from Discord
- Imitate server administrators by detecting the people with the moderation or admin permissions and changing their profile picture to those accounts
It’s important to note that most hacks happen due to an error that involves the human element; 82% to be precise.
It's generally done via exploiting the features and services of Discord. Such as stealing Webhooks' URLs, hacking the Content Delivery Network (CDN) of Discord to disguise a malicious link as a legitimate link, etc. Using CDN to host their files (the cdn.discordapp.com links) can trick people into clicking on malicious links. Technically, it is another form of Social Engineering.
Why? The reason is very simple. When you upload a file to Discord, right-click on it and copy the link it provides, you get a URL that includes Discord’s domain name within the link. That way, users could be fooled into thinking that the URL would be credible and safe, especially those who are not too tech-savvy.
The links are often disguised as cracked versions of games, cryptocurrency awards, NFT drops, and so forth. You get the idea. The virus, as such, would work the same in its intricacies, it's the facade that changes. In reality, this masked virus could prove to be malware or a Monero mining bot.
Sometimes, the domain name in the message sent wouldn’t even spell Discord (example: “discocrd.gift” or “discocrd-app.info”), with the hacker waiting to pounce on someone who simply just skims the link and clicks on it. They could also take you to another messaging app to lure you in (another red flag). More recently, Discord Nitro scams were pervading the messaging platform. These hackers relied on the hype built around Epic Games providing free Discord Nitro for one month.
How to protect against Discord hacks
It’s important to protect your server or yourself from these types of hacks as they could prove to be costly. Scamming is already known to be rife in Discord. As the old mantra goes, prevention is better than cure. It's the same for Discord hacks and scams.
What can Discord moderators do to protect their channels and community?
Discord moderators and Community Managers need to:
- Stay informed
- Be proactive
- Ban or block every malicious person and link in the server
- Constantly inform the members of the server
- Install reliable security bots
The best security is generally self-security. But self-security isn't scalable and depends on humans. Which is bad. Because of this, we need competent managers, settings, and systems in Discord servers. The most important step starts by informing and educating the managers. Because proper Discord server settings, permissions, and roles are necessary. If a manager isn't informed, the permissions, roles, and channels of a server will probably be poorly set up.
A well-experienced manager should set up all the needed security systems, Discord bots (but not so much, adding too much is another point of failure if done poorly), and permissions and should manage them well. He or she should also understand what every bot needs and give the required permissions instead of blasting it with "administrator" permissions. Especially in big servers and projects, if there aren't any security experts or decent managers, the server slowly falls apart.
They should understand:
- How the hierarchy system on Discord works
- What webhooks are and why no one should have access to them except a few trusted bots and managers in the server
- What every change in server permissions does
- Setting up a few security systems such as verification gates (because making a separation between the outsiders and verified actual members is important. This eliminates raids a lot. They can't DM the people of a server because they simply can't see the members without getting verified)
It is important that you protect your crypto Discord community – or any Discord community in general – from being scammed or hacked.
If you would need more information on how to moderate a Discord server, Discord itself has an insightful Discord Moderator Academy, which guides anyone looking to moderate a Discord server.
What can Discord users do to protect themselves from scams?
On the other hand, there are a few things a user can do:
- Be careful what files you download on Discord
- Clicking on any suspicious links (especially if it looks like it's a legit Discord URL)
- Enter your Discord information other than on discord.com
- Copy-pasting some code into your Discord console in order to get some "privileged" features of Discord
- Always question spooky friend messages because their account could be compromised without even them realizing
- Screen share or send screenshots to people you don't know
- Hang out in safe communities
- Always close your DMs for a server from the privacy settings of that server.
Most server moderators never DM you, they always operate from the inside of their server. So be vigilant when someone claims they are Mod, Admin, or from Discord.
Also, be super careful when a website asks your wallet to connect. Even if it is from a trustworthy source as it could be a hacked account, like the compromise that happened in OpenSea's Discord. In that incident hackers used webhooks in the announcement channels to disguise their malicious messages as legit OpenSea bot messages and sent a scam message saying "Oh, OpenSea partnered with X. Go get X!" and a lot of people were scammed that day.
Discord hacking can get creative. But if you have a well-set-up server, you should be able to minimize the chances of being hacked, phished, and so forth. It only takes a bit more vigilance to prevent people from hacking your discord.