Why is Discord so Dangerous?

I'm sure you've all heard the same things over and over again in Web3. “Discord is awful!”, “Our project will never use Discord due to security risks.”, or my personal favorite: “Just turn off DMs idiot.”.

The peanut gallery on Twitter comments vaguely, generally, without telling you WHY they feel this way. They don't tell you WHY direct messages are so dangerous. So, luckily, through the power of science, we've extracted the brain out of one of these dangerous Web3 scammers, and we're going to take look at their goals, their thought process, so you can understand that the real advice is not to turn off DMs, it is to never be alone with a scammer.

#1: A common misconception… DMs…

Turning off your DMs on Discord is good advice, but without talking about why it leads to confusion and dangers.

These same parrots, usually won't tell you to turn off friend requests, they're already on their merry way to comment “gm” on Twitter for the 300th day in a row in a weird rain dance-like ritual attempting to revive the bull market.

To know how to defend yourself against scammers it is often very helpful to think like a scammer. So let's look inside the scammer's brain and examine the thought process here:

Somewhere deep inside the scammer's brain: We know the goal, we want to get access to their wallet, and there are going to be a number of different ways we will accomplish this, but there is almost one universal thing we need to accomplish… We need to get the victim alone.
That's right, if we can get the victim alone in some place with us, we can convince them that whatever scam we're running is legit. If we talk in a public marketplace some nosy Web3 bozo will come in and scream that we're running a scam! We can't have that.
Discord DMs, will work extremely well for this. But what if a victim has their DMs closed… Well, there are ways around that…

Twitter messages! - Yup. That's right, a Twitter message isn't safe either. While there is a little more safety since you can check mutual followers, etc, all of that can be faked with a seasoned account, or even worse, it could be a compromised Twitter account!
Discord friend requests - Anyone who is your Discord friend can bypass your “turn off DMs” setting. So instead of sending you a DM… they just send a friend request. Additionally they might politely ask you to add them as a friend from a public marketplace (legit traders will do this too!).
Low volume Discord servers - If you talk in an infrequently used channel, thread, or server, less chance of someone else getting involved.
Private threads or support tickets - There is a potential for a scammer to abuse a support ticket or a private thread to get a victim into a room together somewhat alone.
This last one can be incredibly deadly… your existing friends. Scammers, if they compromise your friend's Discord account, can convince you to send money, or participate in a mint… or do anything, because you trust your friend… DO NOT TRUST ANYONE. Be suspicious of every interaction you have, even if your best friend in the world is talking to you.

So, the lesson we have learned above, be extremely careful talking to anyone in a private location. It doesn't matter what platform, Twitter, Telegram, Discord, hell maybe even Tinder? Scammers could have found you and targeted you there, and in private locations, the scam can commence, without outside interference.

#2 How do we find the mark…

There is a very common phrase that unnamed conmen have been using for centuries, “there's a sucker born every minute.”

This is much the case in Web3. With a space as new as this, and it also being the entry point to crypto for a lot of folks, Web3 is a target rich environment. Also consider the fact that all it takes is two easy clicks on a malicious website for thousands of dollars worth of ill-gotten rewards.

So let's look at who the best targets are, and how to avoid becoming one of them.

Deep inside the scammer's brain: Ok, we need a big target. We aren't targeting everyone, we aren't a tax-loss harvesting service. We want blue chip NFTs, we want defi tokens, we want raw ETH. Things that are easy to sell, easy to move, need to eventually buy more Robux after all. We also need people who are new, easier marks…

So, scammers will often look for people that are flashing large sums of money stored in one location. People posting screenshots of a large amount of ETH in their metamask, people with a public ENS wallet that has a ton of Bored Apes in it, and of course, targeting people based on what their profile picture is.

Even if you use a Ledger, if you use it regularly and sign transactions with it often, you are a major target.

You can participate in the risky behavior mentioned above, but if you do you're at a higher risk of being targeted - so take more precautions, keep up to date on current scams.

Additionally, these scammers will watch Discord channels and target people who ask beginner questions, post that they're new, or even worse: announce that they've just been scammed.

People who have just been scammed are retargeted, sometimes by new scammers, who use that fear and uncertainty clouding the victim's judgement to direct them to a fake revoke.cash website, or a fake service to help them ‘recover’ their funds. Cryptocurrency and by extension, NFTs, are irreversible. You can track where the funds go and just maybe get a portion of them back from a centralized exchange, but usually only a sliver of what was taken.

Discord's servers, when communicating with the Discord client, provide a lot more information than what is shown. Attackers can abuse the information given to gain insights such as a full list of members in a Discord, what roles they all have, any mutual servers they might be in. With every single NFT server having some equivalent of a holder's role, the attackers can easily know you have an NFT that is valuable, and even generate long lists of high value targets.

Always assume scammers will be operating with more information than you, by abusing Discord's platform they will know plenty about you without you having the same advantage.

But in essence, with the amount of targets out there, and with some scammers using automated bot-based scam attempts, every user in Web3 is a target.

#3 How to make them actually believe it… Trust…

Now that a target is in a room, alone with a scammer… how do you get a scam to work?

Just linking to a wallet drainer website doesn't work most of the time… how can the scammer maximize the chance a victim will, well, become a victim.

Inside the scammer's brain: There are a couple ways we can get them to click on our fakemint.com link… but we need to establish some things first. We need them to trust us somehow, luckily we have a couple tricks we can use to ensure that trust…

The first trick in a scammer's arsenal is to establish trust. There are a number of ways a scammer will do this. Cons can be short or long. Discord can help a scammer mistakenly establish trust in a number of ways:

Impersonation: Discord accepts a wide number of characters in a username. Because of this, scammers can impersonate a person's username on Discord, with the same #1111 numbers at the end, with pixel perfect accuracy.

The things scammers cannot impersonate are previous shared direct messages, or private notes you enter on a Discord account's profile. So always double check the person you're talking to is actually them. If you're ever in doubt, talk to them on a secondary line of communication, maybe over Twitter. More on impersonation here:

🚨🚨🚨 Discord Security Tip 🚨🚨🚨

I've been thinking a lot about impersonation attacks the last few days.

It is common for phishers to pose as a team member to try to scam normal users.

Let's dig into it a little. h/t to @crystalgroves for alerting me to this impersonator: pic.twitter.com/kQ7GKb0OgK
— Jon_HQ (@Jon_HQ) May 30, 2022

Compromise: Don't need to impersonate a person if you can get access to their actual account. Discord accounts are extremely easy to compromise. Without getting into too much detail, all an attacker needs access to is a string of normally unencrypted characters, called your Discord Token, to be able to send and receive messages as that user account.

If your Discord Token is ever compromised, simply reset your password to invalidate it and generate a new one. The various scams attackers use to get access to your Discord Token is an article in itself, but usually involves a victim running a malicious EXE, javascript, bookmark, chrome extension, or touching something inside of developer tools. With how many Discord account compromises occur, do not trust everything even from people's actual accounts!

This applies to the actual Discord servers as well. Hundreds of NFT projects have had their Discord Server compromised and malicious links posted in the official announcement channels. Be suspicious of every message you read on Discord. More on Discord Token phishing here:

Were you aware that the average NFT Discord has over 12 users with Mod or Team level perms? An infographic thread 🧵 pic.twitter.com/mOYcYXMOrp
— Jon_HQ (@Jon_HQ) March 2, 2022

Fake Validation: Scammers will represent themselves well, they'll claim to be from an NFT project you've heard of, they'll link you to the project's Twitter account, it'll have 70,000 followers on Twitter… but it'll be a fake Twitter account. Always research people and projects yourself, don't rely on linked Twitter accounts or links in a profile to find the project.

Links hiding as legit links: There are a couple tricks scammers can use to let you see the right link on Discord's client, but you'll be redirected to a different website when you click it. Always check where you end up on a website if you have to click a link, or even better yet: type any important URL into your browser yourself.

#4 How to make them click it…

And the last bit, the biggest goal for the scammer is to get the victim to push back the nagging reminders not to click links, or not download things, to actually fall for the scam. Let's see what our scammer's brain thinks about that:

Inside the scammer's brain: The sheep keep not clicking the links we send them! We need them to stop THINKING. We need to get them emotional, we need to get them to feel like they need to click it… Luckily there are a couple ways to do that…

FOMO doesn't just apply to those projects you keep forgetting to mint, it can be used for malicious means.

Scammers will use your emotions to get the better of you, here are some of their tricks:

Limited time offers: Always be suspicious of any offers sent to you that involve a time limit. Someone could be offering to trade an Ape, but they have another bidder who wants it now - the scammer is trying to get you to skip steps like verifying which the contract their fake Ape NFT actually is minted from. If ANYONE ever tries to pressure you to speed up and do something quickly, do the reverse and slow the heck down and double check everything.

Free offers: If it sounds too good to be true, it probably is. If someone sent you something ‘for free’ but it requires you to deposit some funds first to withdraw it, it's a scam. People like to get free things, they like to feel like a winner, scammers will abuse this feeling to get victims to fall for their scam.

Fear: They will send a message that frightens you. Something like “a scammer got access to your wallet, go to this website to revoke their access.” People who are afraid, scared, do not take the time to check if a website is legitimate. If you read a message and it causes you some fright, take a deep breath, slow down, and think things through.

Tiredness: Not really an emotion, but people tend to fall for things later at night when they're tired. Scammers will wait and watch, figure out your sleep pattern, and try to hit you at your lowest. Be very careful about using any social media late at night, because of how Discord works with status, when you open up Discord, scammers can see that you've gone online. They can use status updates to track your sleep schedule. Even if you set your status to invisible, they can still roughly figure out your sleep schedule based on when you message on Discord or post tweets on Twitter.

In conclusion…

At this point you're probably noticing that a lot of the methods and lessons learned above don't apply only to Discord, and you're absolutely right.

Discord is a medium for communication, just like Twitter, like Telegram, like tons of other sites online. Any place another person can talk to you can lead to a scam. But to review the things that makes Discord extra dangerous:

Accounts are easy to impersonate
Accounts are easy to compromise
Malicious links can be easily disguised
People can be easily reached through private direct messages
Member lists are easily accessible giving a large amount of targets
Discord status updates can reveal sleep schedules
Ability to send malicious files directly

Be careful on every platform you use to talk to others, always double check, and never rush into anything. Be safe out there!