New Advanced Phishing Attack Exploits Discord to Target Crypto Users

Check Point Research has uncovered a sophisticated phishing campaign that leverages Discord to target cryptocurrency users.

The attack redirects victims from legitimate Web3 websites to a fake Collab.Land bot and then to a phishing site, ultimately tricking them into signing malicious transactions.

This campaign has been directly linked to the notorious Inferno Drainer, which has continued operations despite publicly announcing its shutdown in late 2023.

- Advertisement -

The combination of advanced technical sophistication and convincing social engineering has led to significant financial losses across the cryptocurrency ecosystem.

Despite publicly announcing its closure in November 2023, Inferno Drainer has remained fully operational, with evidence showing that critical smart contracts deployed in September 2023 are still actively used today.

This “Drainer-as-a-Service” business model provides cyber criminals with specialized malicious scripts, smart contracts, and infrastructure to efficiently steal cryptocurrency from users’ wallets.

Researchers estimate that in just the past six months, more than 30,000 wallets have been compromised, resulting in losses exceeding $9 million.

The persistence of Inferno Drainer stems from its continuous technical evolution.

Recent campaigns show significant upgrades in infrastructure and obfuscation techniques. The service employs advanced anti-detection tactics, including single-use and short-lived smart contracts, on-chain encrypted configurations, and proxy-based communication strategies.

These methods effectively bypass wallet security mechanisms and anti-phishing blacklists, allowing the operation to continue despite increased security measures across the cryptocurrency ecosystem.

Discord Invitation Hijacking and OAuth2 Exploitation

The attack flow begins when users attempt to access a Discord support server from a legitimate Web3 project’s website.

Instead, they are redirected to a phishing site impersonating the popular Collab.Land authentication service.

The attackers exploit expired vanity invite links from Discord servers that have lost their Level 3 Boost status, allowing them to claim previously legitimate invite links that might still be shared in announcements or social media posts.

The fake Collab.Land bot appears nearly identical to the legitimate service, with the most critical difference being the absence of a “Verified App” checkmark.

When users click the “Let’s go” button, they are redirected to a malicious website through a sophisticated OAuth2 authentication flow that collects the victim’s Discord username and avatar.

According to the Report, This phishing site mimics the legitimate Collab.Land interface and prompts users to connect their wallets and sign malicious transactions.

To evade detection, the attackers implement short-lived tokens and rapidly rotate phishing domains.

The URLs typically remain valid for only five minutes, after which any attempts to access them result in error messages.

This technique, combined with the requirement for a valid OAuth2 authorization code, makes identifying the phishing websites extremely challenging for security researchers.

Protecting Your Cryptocurrency Assets

To minimize the risk of falling victim to such sophisticated attacks, cryptocurrency users should implement several security practices.

First, carefully verify the addresses and domains of websites before connecting wallets, using browser bookmarks instead of clicking on links from untrusted sources.

When interacting with Discord bots, ensure they have a “Verified App” status, which distinguishes legitimate services from imitations.

Never rush through wallet transactions and take extra time to confirm details before signing.

The legitimate Collab.Land service explicitly informs users that they only need to sign a message, not authorize blockchain transactions or pay gas fees.

For testing new projects or participating in token airdrops, use a separate “burner wallet” with minimal balances.

Cryptocurrency scams continue to evolve in sophistication, with attackers implementing increasingly advanced techniques to bypass security measures.

As these threats become more technically complex, maintaining vigilance and implementing strong security practices remains essential for protecting digital assets.

Setting Up SOC Team? – Download Free Ultimate SIEM Pricing Guide (PDF) For Your SOC Team -> Free Download