{
	"id": "5e4e0f09-2269-4d6d-89a7-331bd1818eeb",
	"created_at": "2026-04-06T00:09:13.258142Z",
	"updated_at": "2026-04-10T03:22:01.666327Z",
	"deleted_at": null,
	"sha1_hash": "9cf8bc623571581c731f43e0cbdf85a3cbee3575",
	"title": "Discord Admins Hacked by Malicious Bookmarks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 420024,
	"plain_text": "Discord Admins Hacked by Malicious Bookmarks\r\nPublished: 2023-05-31 · Archived: 2026-04-02 11:50:59 UTC\r\nA number of Discord communities focused on cryptocurrency have been hacked this past month after their administrators\r\nwere tricked into running malicious Javascript code disguised as a Web browser bookmark.\r\nThis attack involves malicious Javascript that is added to one’s browser by dragging a component from a web page to one’s\r\nbrowser bookmarks.\r\nAccording to interviews with victims, several of the attacks began with an interview request from someone posing as a\r\nreporter for a crypto-focused news outlet online. Those who take the bait are sent a link to a Discord server that appears to\r\nbe the official Discord of the crypto news site, where they are asked to complete a verification step to validate their identity.\r\nAs shown in this Youtube video, the verification process involves dragging a button from the phony crypto news Discord\r\nserver to the bookmarks bar in one’s Web browser. From there, the visitor is instructed to go back to discord.com and then\r\nclick the new bookmark to complete the verification process.\r\nHowever, the bookmark is actually a clever snippet of Javascript that quietly grabs the user’s Discord token and sends it to\r\nthe scammer’s website. The attacker then loads the stolen token into their own browser session and (usually late at night\r\nafter the admins are asleep) posts an announcement in the targeted Discord about an exclusive “airdrop,” “NFT mint event”\r\nor some other potential money making opportunity for the Discord members.\r\nhttps://krebsonsecurity.com/2023/05/discord-admins-hacked-by-malicious-bookmarks/\r\nPage 1 of 4\n\nThe unsuspecting Discord members click the link provided by the compromised administrator account, and are asked to\r\nconnect their crypto wallet to the scammer’s site, where it asks for unlimited spend approvals on their tokens, and\r\nsubsequently drains the balance of any valuable accounts.\r\nMeanwhile, anyone in the compromised Discord channel who notices the scam and replies is banned, and their messages are\r\ndeleted by the compromised admin account.\r\nNicholas Scavuzzo is an associate at Ocean Protocol, which describes itself as an “open-source protocol that aims to allow\r\nbusinesses and individuals to exchange and monetize data and data-based services.” On May 22, an administrator for Ocean\r\nProtocol’s Discord server clicked a link in a direct message from a community member that prompted them to prove their\r\nidentity by dragging a link to their bookmarks.\r\nScavuzzo, who is based in Maine, said the attackers waited until around midnight in his timezone time before using the\r\nadministrator’s account to send out an unauthorized message about a new Ocean airdrop.\r\nScavuzzo said the administrator’s account was hijacked even though she had multi-factor authentication turned on.\r\n“A CAPTCHA bot that allows Discord cookies to be accessed by the person hosting the CAPTCHA,” was how Scavuzzo\r\ndescribed the attack. “I’ve seen all kinds of crypto scams, but I’ve never seen one like this.”\r\nhttps://krebsonsecurity.com/2023/05/discord-admins-hacked-by-malicious-bookmarks/\r\nPage 2 of 4\n\nIn this conversation, “Ana | Ocean” is a compromised Discord server administrator account promoting a phony airdrop.\r\nImportantly, the stolen token only works for the attackers as long as its rightful owner doesn’t log out and back in, or else\r\nchange their credentials.\r\nAssuming the administrator can log in, that is. In Ocean’s case, one of the first things the intruders did once they swiped the\r\nadministrator’s token was change the server’s access controls and remove all core Ocean team members from the server.\r\nFortunately for Ocean, Scavuzzo was able to reach the operator of the server that hosts the Discord channel, and have the\r\nchannel’s settings reverted back to normal.\r\n“Thankfully, we are a globally distributed team, so we have people awake at all hours,” Scavuzzo said, noting that Ocean is\r\nnot aware of any Discord community members who fell for the phony airdrop offer, which was live for about 30 minutes.\r\n“This could have been a lot worse.”\r\nOn May 26, Aura Network reported on Twitter that its Discord server was compromised in a phishing attack that resulted in\r\nthe deletion of Discord channels and the dissemination of fake Aura Network Airdrop Campaign links.\r\nOn May 27, Nahmii — a cryptocurrency technology based on the Ethereum blockchain — warned on Twitter that one of its\r\ncommunity moderators on Discord was compromised and posting fake airdrop details.\r\nhttps://krebsonsecurity.com/2023/05/discord-admins-hacked-by-malicious-bookmarks/\r\nPage 3 of 4\n\nOn May 9, MetrixCoin reported that its Discord server was hacked, with fake airdrop details pushed to all users.\r\nKrebsOnSecurity recently heard from a trusted source in the cybersecurity industry who dealt firsthand with one of these\r\nattacks and asked to remain anonymous.\r\n“I do pro bono Discord security work for a few Discords, and I was approached by one of these fake journalists,” the source\r\nsaid. “I played along and got the link to their Discord, where they were pretending to be journalists from the Cryptonews\r\nwebsite using several accounts.”\r\nThe source took note of all the Discord IDs of the admins of the fake Cryptonews Discord, so that he could ensure they were\r\nblocked from the Discords he helps to secure.\r\n“Since I’ve been doing this for a while now, I’ve built up a substantial database of Discord users and messages, so often I\r\ncan see these scammers’ history on Discord,” the source said.\r\nIn this case, he noticed a user with the “CEO” role in the fake Cryptonews Discord had been seen previously under another\r\nusername — “Levatax.” Searching on that Discord ID and username revealed a young Turkish coder named Berk Yilmaz\r\nwhose Github page linked to the very same Discord ID as the scammer CEO.\r\nReached via instant message on Telegram, Levatax said he’s had no involvement in such schemes, and that he hasn’t been\r\non Discord since his Microsoft Outlook account was hacked months ago.\r\n“The interesting thing [is] that I didn’t use Discord since few months or even social media because of the political status of\r\nTurkey,” Levatax explained, referring to the recent election in his country. “The only thing I confirm is losing my Outlook\r\naccount which connected to my Discord, and I’m already in touch with Microsoft to recover it.”\r\nThe verification method used in the above scam involves a type of bookmark called a “bookmarklet” that stores Javascript\r\ncode as a clickable link in the bookmarks bar at the top of one’s browser.\r\nWhile bookmarklets can be useful and harmless, malicious Javascript that is executed in the browser by the user is\r\nespecially dangerous. So please avoid adding (or dragging) any bookmarks or bookmarklets to your browser unless it was\r\nyour idea in the first place.\r\nSource: https://krebsonsecurity.com/2023/05/discord-admins-hacked-by-malicious-bookmarks/\r\nhttps://krebsonsecurity.com/2023/05/discord-admins-hacked-by-malicious-bookmarks/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://krebsonsecurity.com/2023/05/discord-admins-hacked-by-malicious-bookmarks/"
	],
	"report_names": [
		"discord-admins-hacked-by-malicious-bookmarks"
	],
	"threat_actors": [],
	"ts_created_at": 1775434153,
	"ts_updated_at": 1775791321,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9cf8bc623571581c731f43e0cbdf85a3cbee3575.pdf",
		"text": "https://archive.orkl.eu/9cf8bc623571581c731f43e0cbdf85a3cbee3575.txt",
		"img": "https://archive.orkl.eu/9cf8bc623571581c731f43e0cbdf85a3cbee3575.jpg"
	}
}