Uptick in Discord Token Hijacking Attacks

Good day everyone,

We have receive several reports of a sudden uptick in token hijacking attacks like the one that hit a few of our community about 3 months back. It seems the hack is spreading rapidly at the moment so we wanted to take some time to remind everyone to be careful and go over some of the information we have from the last attack and this one.


The attack in question works by stealing tokens from your web browsers and discord directories. Once it has these tokens and files the variant we analyzed would send the data back to a discord the attacker controlled through a web hook. It would then use the token to buy nitro if you had a credit card tied to your discord and then message friends and other users in servers the compromised user was in asking them to test their game.

The reason it spreads so well is the script will simulate a conversation making it appear as if you are talking to a real person.

How to Protect Yourself

In general the attack is more of a social engineering attack then a technical one, relying on tricking the user into running the program then any vulnerability. Due to this the best defense is common sense. Take a look at the message and ask yourself if the user would be sending you a message to test their game out of nowhere.

Also, since the scripts rely on prescripted responses, asking for more details can help expose if this is an attack or not as it will not be able to give a good or understandable answer in most cases.

Also, since the scripts rely more on tricking the user antivirus software is not likely to pick it up so do not rely on virus scans.


Current Attack

We do not have a ton of details on the current attack as no user has been able to send us the script in question yet. What we do know though is the MO of the attack is almost exactly the same. A DM asking a user to test a game resulting in token hijacking. There are some reports that it also crashes discord after running but we have not been able to confirm this report.

There is also a possibility that this version of the attack is JavaScript based instead of a Python script. Along with this it may have been modified to target a wider range of browsers then the last attack but without the script we can not confirm either claim.

Last attack

The last attack was a python script that would do 3 things when ran:

  1. Start a game
  2. Copy itself to your start directory as system.py
  3. Copy any tokens it can find

It targeted the following browsers:

  • Chrome
  • Opera
  • Brave
  • Yandex

It steals all keys and passwords it can find within those browsers so all accounts should be considered compromised.

If you have any further information or versions of the script. Feel free to DM me and I will update this post with more recent information as I get it.