In the past month, several Discord communities focused on cryptocurrency have fallen victim to hacking incidents due to a sophisticated phishing attack. The attackers tricked community administrators into running malicious Javascript code disguised as a Web browser bookmark. The attack involved luring victims through interview requests from individuals posing as reporters from crypto-focused news outlets.
Victims were directed to fraudulent Discord servers for identity verification, where they were asked to complete a verification step that involved dragging a button to their browser bookmarks. Unbeknownst to the victims, this action added a snippet of malicious Javascript that stole their Discord tokens. The attackers then used the compromised administrator accounts to post announcements about fraudulent money-making opportunities, while banning and deleting messages from anyone who questioned the scam.
Nicholas Scavuzzo, an associate at Ocean Protocol, shared his experience where an Ocean Protocol Discord server administrator clicked on a phishing link, resulting in the compromise of their account. Despite having multi-factor authentication enabled, the attackers used a CAPTCHA bot to gain access to the administrator’s Discord cookies.
This allowed them to hijack the account and carry out unauthorized activities, such as promoting a fake Ocean airdrop. Although Ocean Protocol managed to mitigate the attack, changing the server’s access controls and removing team members, other Discord communities like Aura Network and Nahmii also reported similar compromises with fake airdrop campaigns being disseminated.
A cybersecurity industry source engaged in Discord security work encountered one of the fake journalist scams and obtained information about the scammers. The source discovered that a user with the “CEO” role in a fake Cryptonews Discord was associated with another username, “Levatax,” which led them to a Turkish coder named Berk Yilmaz.
However, Yilmaz denied involvement in the schemes, stating that his Microsoft Outlook account had been hacked, disconnecting him from Discord. This incident highlights the use of a malicious verification method involving bookmarklets, which store Javascript code as clickable links in the bookmarks bar. It is crucial for users to exercise caution and refrain from adding or dragging any bookmarks or bookmarklets to their browser unless they initiated the action themselves.
