The first days of 2023 reveal a cryptocurrency security landscape in transition. With Bitcoin trading at approximately $16,688 and the market still reeling from the collapse of FTX, attackers are shifting their focus from protocol-level exploits to social engineering campaigns targeting individual users. At the center of this shift is a disturbing trend: the weaponization of Discord as an attack platform through commercially available wallet drainer phishing kits. In January 2023 alone, 36 Discord servers were compromised, matching the same number recorded in December 2022 — a sustained assault that shows no signs of abating.
The Threat Landscape
Discord has become the primary communication hub for cryptocurrency projects, NFT collections, and decentralized communities. This centralization of community engagement on a single platform creates a massive attack surface. When a project Discord server is compromised, attackers gain instant access to thousands of community members who have already demonstrated trust in the project by joining its server.
The attack pattern is well-established. Compromised Discord accounts — typically those of administrators or moderators — are used to post announcements containing links to phishing websites. These sites are designed to closely mimic legitimate project interfaces, often replicating the exact visual design and domain naming conventions of the real project. Users who follow these links and connect their wallets are prompted to sign transactions that drain their assets.
In the largest phishing incident of January 2023, a fake Cool Cats NFT website successfully stole 357 NFTs from unsuspecting users. Just five days later, the same group struck again, stealing 195 NFTs through a phishing site imitating the Hasbullah NFT collection. Notably, the Hasbullah phishing campaign was one of the first incidents observed being promoted through paid Twitter advertisements, marking an escalation in the sophistication of these attacks.
Core Principles
Understanding why Discord phishing has become so prevalent requires examining the economics of the attack. Wallet drainer phishing kits are now available for purchase from a variety of vendors on dark web marketplaces and encrypted messaging platforms. These kits lower the barrier to entry dramatically — an attacker no longer needs technical expertise in smart contract exploitation or blockchain engineering. Instead, they need only the social engineering skills to compromise a Discord account and the patience to wait for victims.
The commercial availability of these kits has created a marketplace of competing drainer products, each offering different features, success rates, and revenue-sharing models with their creators. Some kits operate on a commission basis, taking a percentage of stolen funds, while others are sold for a flat fee. This commoditization of attack tooling mirrors the broader trend of cybercrime-as-a-service that has been observed across the broader cybersecurity landscape.
The fundamental principle at work is trust exploitation. Cryptocurrency users are conditioned to trust official channels — Discord announcements from project administrators, Twitter posts from verified accounts, and links shared in community chats. When these trusted channels are compromised, the social proof that normally protects users becomes the very mechanism that enables their victimization.
Tooling and Setup
Protecting against Discord-based phishing requires a combination of platform-level vigilance and personal security practices. At the project level, Discord server administrators should implement mandatory two-factor authentication for all staff accounts, use dedicated hardware tokens rather than SMS-based authentication, and establish verification procedures for any announcements that include external links.
Bot management is another critical component. Many compromises occur through malicious Discord bots that are granted excessive permissions. Server administrators should audit bot permissions regularly, removing any that are unnecessary and restricting all bots to the minimum privileges required for their function. Webhook configurations should be monitored, as compromised webhooks can be used to send messages that appear to come from legitimate project accounts.
At the individual level, users should treat every link in Discord with suspicion, regardless of who posted it. Before connecting a wallet to any website, verify the URL independently — check the project official website or Twitter account for the correct domain. Use a dedicated wallet with limited funds for interacting with new protocols, keeping the bulk of holdings in cold storage that is never connected to web interfaces.
Ongoing Vigilance
The CertiK January 2023 report documented $28 million in total losses across 55 attacks in the first month of the year, with exit scams accounting for $10.2 million of that total across 21 incidents. While protocol-level exploits decreased compared to 2022 averages, the sustained volume of phishing and social engineering attacks suggests that attackers are adapting to the post-FTX environment by targeting users directly rather than attempting complex smart contract exploits.
The trend toward paid advertising of phishing sites — as seen with the Hasbullah NFT campaign — represents a worrying evolution. When attackers invest real money in promoting their campaigns, it indicates a high degree of confidence in their return on investment. This means the campaigns are profitable enough to justify the expenditure, which in turn means users are falling for them at an alarming rate.
Cryptocurrency projects must also recognize their responsibility in protecting their communities. This includes investing in professional Discord security audits, implementing automated monitoring for suspicious link patterns, and establishing rapid response procedures for when compromises are detected. The speed of response matters — in the Cool Cats incident, 357 NFTs were stolen before the phishing site was identified and reported.
Final Takeaway
The Discord phishing epidemic of early 2023 is a symptom of a broader shift in the cryptocurrency threat landscape. As the market enters a new year with Bitcoin at $16,688 and Ethereum at $1,214, the reduced valuations have not deterred attackers — they have simply changed their tactics. The commoditization of wallet drainer kits means that the barrier to launching a phishing campaign has never been lower, and the centralization of crypto communities on Discord provides a ready-made target rich environment. The defenses are straightforward but require discipline: verify independently, use dedicated wallets for interactions, and never trust a link just because it came from an official channel. In a trustless ecosystem, the most dangerous vulnerability is often trust itself.
Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research before making decisions about cryptocurrency security.
36 discord servers compromised in january alone. if youre in any crypto discord, turn off DMs from non-friends. literally the easiest fix
turning off DMs is table stakes. the real problem is compromised admin accounts posting in public channels where DM settings dont help at all
turning off DMs is step 1. step 2 is never clicking links in discord, even from admins you recognize. compromised admin accounts are the whole attack vector
never clicking links even from admins is the hard part. when your project lead posts a link in announcements you trust it. that trust is exactly what the attackers exploit
wallet drainer kits are being sold as SaaS now. $200/month to drain wallets. the barrier to entry for scammers is basically zero
$200/month subscription to steal wallets. the productization of scams is honestly impressive in a depressing way
36 servers compromised in january right after FTX collapsed. attackers knew people were panicked and checking portfolios constantly. pure opportunism