Discord users under attack: trustworthy invite links reanimated by hackers

Last updated: 16 June 2025
Discord invite links
Image by Cybernews.

Hackers are hijacking expired or deleted Discord invite links, which are still posted on forums, social media, official websites, and elsewhere, security researchers warn. Accepting an invite could lead to a complete device compromise and crypto theft.

Key takeaways:
  • Hackers steal expired Discord invite links to redirect users to malware.
  • Over 1,300 crypto wallet thefts tracked using hijacked Discord invitations.
  • Uppercase Discord links can be cloned with lowercase versions simultaneously.

Attackers are taking advantage of the Discord feature that lets users reuse expired or deleted invite links, according to a report by Check Point Research.

ADVERTISEMENT

The users found legitimate invite links online, which are no longer under the control of the person who originally created the invite.

“The attack tricks users with a fake verification bot and phishing site that look like legitimate Discord servers, leading victims to unknowingly run harmful commands that download malware on their computer,” the researchers warn in the report.

Hackers are also abusing other legitimate services to hide their malware. To avoid detection, it spreads in multiple steps, and the downloads may come from GitHub, Pastebin, or other platforms.

The prime target for hackers is crypto wallets, and malware is capable of stealing credentials and wallet information. Already over 1,300 downloads were tracked across the US, Vietnam, France, Germany, and other countries.

Gintaras Radauskas jurgita vilius Ernestas Naprys
Be the first to know and get our latest stories on Google News
Google News Follow us

How does this hack work?

Discord is an online communication platform very popular among video game players. It allows users to chat via text, voice, and video.

Check Point revealed that Discord’s invitation system is flawed. It allows hackers to hijack expired or deleted invite links through vanity (custom invite) link registration, redirecting users to malicious servers. These special URLs (links) can be crafted with a premium subscription.

ADVERTISEMENT

“The mechanism for creating custom invite links surprisingly lets you reuse expired temporary invite codes, and, in some cases, deleted permanent invite codes,” the researchers explain.

“Once a temporary invite expires, its code can be registered as a custom invite for another Discord server that has Level 3 Boost.”

“The mechanism for creating custom invite links surprisingly lets you reuse expired temporary invite codes, and, in some cases, deleted permanent invite codes,”

the researchers explain.

So, attackers are hunting for expired links on popular platforms to then re-register them as their own. For example, a legitimate server shares an invite link, which looks like https://discord.gg/< some characters>. When it is no longer active, anyone can reclaim the same invite and use it for their server.

There is another trick hackers abuse. Even when the invite code is active but contains uppercase letters, for example, “https://discord[.]gg/uzwgPxUZ,” attackers can register another invite link with all lowercase letters, “uzwgpxuz.” These two will coexist until the first link expires, at which point it will be automatically redirected to the lowercase one.

The rest of the attack chain is similar to other phishing schemes. Users are redirected to a phishing site, which tricks them into downloading malware or running malicious commands.

Recent real-world attacks compromised users with AsyncRAT and Skuld Stealer malware. AsyncRAT is an open-source Remote Access Trojan (RAT) that provides attackers with comprehensive remote control capabilities over infected systems. Skuld Stealer is ​​designed to steal sensitive user data from Discord, various browsers, crypto wallets, and gaming platforms.

attack-chain-discord-invite

“By hijacking trusted links, attackers created an effective attack chain that combined social engineering with abuse of legitimate services like GitHub, Bitbucket, and Pastebin,” the researchers explain.

Check Point warns that this campaign isn’t static and evolves. Attackers periodically update their downloader to maintain a zero detection rate on VirusTotal. The threat actor adapts lures and tools when targeting different user groups.

ADVERTISEMENT

While Discord has disabled the malicious bot used in this particular campaign, the core tactics remain viable, and other attackers can still easily register new bots exploiting the invite system.

“The safest option is to use permanent invites, which are more resistant to hijacking. In particular, if a permanent invite code contains any uppercase letters, it cannot be reused even after deletion,”

the report suggests.

“The safest option is to use permanent invites, which are more resistant to hijacking. In particular, if a permanent invite code contains any uppercase letters, it cannot be reused even after deletion,” the report suggests.

Meanwhile, Discord users should double-check the invite links: favor permanent ones, inspect if the link comes from an old post, tweet, or other source, and check the “verified App” badge before authorizing bots.

Check Point urges users to never run unknown commands on their computers, even from legitimate servers.

“No legitimate Discord server or verification process should require you to run PowerShell commands or paste anything into your system terminal.”

Share
Post
Share
Share
Share
More from Cybernews
Saudi industrial services group breached, hackers claim
Estimating age with augmented cameras in tobacco shops is a no-go, CNIL says
Law enforcement authorities bust international Microsoft scam call center
JD Vance’s Disneyland vacation sparks outrage, mockery
Samsung may be turning jewelry into AI-driven devices
A simple radio hack can emergency stop any train in North America, researchers warn
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked