Language:
⚠️ Educational Purpose Only - This is a simulation of a malicious bookmark attack ⚠️

Discord Bookmark Attack Simulation

This page simulates how attackers might try to gain access to Discord permissions through malicious bookmarks.

https://discord.com/channels/123456789/admin-panel
Gmail
YouTube
Discord

Discord Verification

Drag and drop the button below into an open Discord window to verify your account.
You may also bookmark the link contained in this button so that you may click on the bookmark while on Discord to verify your account.

Drag me

How Bookmark Attacks Work

Bookmark attacks involve tricking users into adding malicious JavaScript code to their browser bookmarks. When these bookmarks are clicked while on Discord, they can execute harmful code that steals sensitive information or takes control of the account.

Common Attack Scenario: Verification Scam

A common version of this attack shows users a fake "Discord Verification" page with a button labeled "Drag me" that users are instructed to drag into an open Discord window or bookmark. When used, the bookmark executes malicious JavaScript that can steal tokens and compromise accounts.

WARNING: Never drag buttons or links from untrusted websites into Discord or your bookmarks bar!
🎭 Attack Scenario: The Crypto Giveaway

Here's how a typical attack might unfold in a cryptocurrency-focused Discord server:

Step 1: Initial Contact

A new user joins a popular cryptocurrency Discord server and begins engaging with the community, building trust over several days.

Step 2: The Bait

The attacker announces they're hosting a giveaway for a new NFT project or cryptocurrency and shares a link to a "verification site" that looks legitimate.

Step 3: The Trap

The verification site instructs users to drag a button to their bookmarks bar or directly into Discord to "verify their wallet" or "register for the giveaway."

Step 4: The Attack

When victims click the bookmark while on Discord, the malicious JavaScript executes, stealing their Discord token, which gives the attacker full access to their account.

Step 5: The Aftermath

The attacker uses the compromised account to spread the scam further, targeting the victim's friends and communities, or uses the account to steal cryptocurrency through social engineering.

Recent Incidents

In recent months, several major Discord communities focused on cryptocurrency and NFTs have been targeted by these attacks. In January 2023, a bookmark attack compromised multiple admin accounts in a popular NFT project Discord, leading to over $200,000 in stolen assets when users were directed to a fake minting website.

← Back to Challenges