Cybercriminals have discovered a new way to target cryptocurrency users by turning Discord invite links into weapons. According to a report released by cybersecurity firm Check Point, hackers are hijacking Discord’s vanity invite links to deploy sophisticated malware campaigns designed to steal digital wallets and sensitive user data.

The attack campaign, which utilises both the Skuld information stealer and the AsyncRAT remote access trojan, takes advantage of a vulnerability in how Discord manages custom invitation links. By exploiting this feature, threat actors can silently redirect users from trusted Discord communities to malicious servers under their control.

“This campaign illustrates how a subtle feature of Discord’s invite system, the ability to reuse expired or deleted invite codes in vanity invite links, can be exploited as a powerful attack vector,” Check Point researchers wrote.

Discord’s Vanity Invite Vulnerability

At the heart of this exploit is Discord’s system for creating custom invite links. Users can generate vanity URLs, customised and easy-to-remember links for their servers. When these links expire or are deleted, Discord does not allow legitimate servers to reclaim them. However, attackers have found that by reusing these old invite codes, they can register the links to their own malicious servers.

This means that an invite link once posted on a blog or social media page with good intentions can later direct users to a hacker-controlled server without their knowledge. The attackers then use that new server to launch phishing campaigns, deliver malware, and ultimately access users’ cryptocurrency wallets.

“This creates a serious risk: Users who follow previously trusted invite links can unknowingly be redirected to fake Discord servers created by threat actors,” Check Point warned.

Malware with a Purpose: Targeting Crypto

Once users arrive at these hijacked servers, the attackers employ a social engineering trick known as the ClickFix phishing technique. Victims are asked to complete a verification process that involves granting permissions to a bot. That bot, in turn, redirects them to a fake website where they are prompted to enter sensitive information under the guise of verification.

Behind the scenes, the malware payloads do the real damage. Skuld, one of the main pieces of malware used, is an information stealer capable of extracting seed phrases from popular crypto wallets like Exodus and Atomic. It achieves this through “wallet injection,” replacing clean application files with Trojan-laced versions downloaded from GitHub.

AsyncRAT, the other major threat, gives the attackers remote control over infected systems. Additionally, a Goland-based info stealer downloaded from Bitbucket is used to collect data from Discord accounts, web browsers, gaming platforms, and more.

Widening Reach, Global Impact

This campaign is far from isolated. Check Point revealed that the same threat actor responsible for the Discord link hijackings is also distributing malware through a modified pirated software tool hosted on Bitbucket. That malicious tool has already been downloaded at least 350 times.

Victims have been identified across multiple countries, including the United States, the United Kingdom, France, Slovakia, Austria, the Netherlands, and Vietnam, indicating that the operation is both widespread and ongoing.

A Growing Threat to the Crypto Ecosystem

The attack highlights how even seemingly minor platform features can be manipulated into powerful cyber weapons. Discord, originally designed as a gamer chat platform, has evolved into a central hub for cryptocurrency and Web3 communities. But its infrastructure has also attracted the attention of hackers seeking to exploit the trust and scale of those communities.

By hijacking legitimate links and using familiar interfaces, the attackers bypass the scepticism users might have towards unsolicited emails or unfamiliar websites. The result is a seamless phishing experience that’s difficult to detect until it’s too late.

Vigilance Is the Only Defence

For now, users are urged to verify the authenticity of any Discord links they follow, especially older ones shared through social media, forums, or websites. Extra caution should be taken when asked to authorise bots or input sensitive data.

While Discord has not yet issued a public statement on the vulnerability, Check Point’s findings make it clear: without changes to how invite links are managed, more users remain at risk of falling victim to one of the most insidious cyber threats currently targeting the crypto space.