New Sophisticated Phishing Attack Abuses Discord & Attacked 30,000 Users Worldwide

A sophisticated phishing campaign that targets cryptocurrency users through Discord. The campaign has victimized over 30,000 users and resulted in losses exceeding $9 million over the past six months alone, revealing the continued operation of the notorious Inferno Drainer despite its claimed shutdown in 2023.

CheckPoint researchers discovered that attackers are combining social engineering with Discord’s platform features to create highly convincing scams.

In January 2025, investigators found that members of a prominent cryptocurrency community were being targeted when attempting to access Discord support servers from legitimate Web3 websites.

Instead of reaching genuine support channels, users were redirected to servers containing fake Collab.Land verification bots. Collab.Land is a legitimate service widely used in crypto communities to verify wallet holdings and grant access to exclusive channels.

“The entire scenario was convincingly realistic and capable of deceiving even experienced users,” noted the researchers in their report.

The fake verification process directs victims to a phishing website that closely mimics the legitimate Collab.Land interface. After connecting their wallets, users are prompted to sign transactions that appear legitimate but actually permit attackers to drain their crypto assets.

Sophisticated Evasion Techniques

What makes this attack particularly dangerous is its connection to Inferno Drainer, one of the most sophisticated cryptocurrency drainers in operation. Despite publicly announcing its shutdown in November 2023, the service continued operating with enhanced capabilities.

The attackers employ multiple advanced techniques to avoid detection:

• Single-use and short-lived smart contracts to bypass wallet security warnings
• Blockchain-stored encrypted configurations to hide command server addresses
• Proxy-based communication infrastructure making tracing nearly impossible
• Domain rotation and conditional redirection to evade automated security tools

“Even if a phishing site is discovered through victim reports, this is not a major impediment for the attackers as they proactively rotate their phishing domains every few days,” explained Check Point researchers.

One effective method attackers use is hijacking expired vanity invite links. Many Discord servers use custom URLs (e.g., discord.gg/projectname) that become available for anyone to claim if a server loses its boost status.

“Attackers can monitor and wait for high-value vanity links to expire. The moment a link becomes free, they instantly register it on their malicious server,” the report details.

This tactic is particularly effective as users may still have old invite links saved in announcements, websites, or social media posts, inadvertently leading them to attackers’ servers instead of legitimate ones.

How to Protect Yourself

Check Point researchers recommend several precautions:

• Verify that Discord bots have the “Verified App” checkmark before interacting
• Use bookmarks for crypto websites and avoid clicking untrusted links
• Never rush through wallet transactions and carefully inspect details before signing
• Use separate “burner wallets” when testing new projects or participating in airdrops
• Monitor official project channels for security updates

The combination of technical sophistication and convincing social engineering continues to make these attacks successful despite advances in wallet security and anti-phishing solutions.

Setting Up SOC Team? – Download Free Ultimate SIEM Pricing Guide (PDF) For Your SOC Team -> Free Download

The post New Sophisticated Phishing Attack Abuses Discord & Attacked 30,000 Users Worldwide appeared first on Cyber Security News.