My Discord Account Was Hacked and Used to Extort People

Over the holidays, my Discord account was compromised. The attackers used it to social engineer my contacts into downloading malware, then extorted them for money.

How I Got Hit

On December 29th, my friend Nayan messaged me on Discord. Or so I thought.

Nayan is a game developer, so when “he” asked me to try a build of a game he’d been working on, it didn’t seem strange at all. We chatted for a bit, caught up, and then I downloaded the game.

The game was actually a piece of malware - it harvested heaps of my information and set up shop in my Discord installation to re-infect me on every new run.

And then came the extortion - pay up or they’d leak my data, burn my accounts, the usual threats.

I paid. I’m not proud of it. I hoped they’d leave me alone.

They didn’t leave me alone. They took over my Discord account anyway, and used it to attack my friends.

Never pay. It doesn’t help.

What They Did

Between December 29th and January 6th, the attackers impersonated me and reached out to my contacts. The same playbook that got me - friendly conversation, a game to test, malware in disguise.

At least three of my friends fell for it. They got hit with the same malware, and the same extortion scheme.

What their malware does

I’m ashamed to say that the first thing I did was not to notify as many friends as possible about what happened - that was the second thing, actually.

The first thing I did was to find the malware and throw it onto my Omarchy machine, and to use Oh My OpenCode to analyze it, and here’s what I found:

The “game” was a Java-based infostealer distributed as a fake indie game launcher. It came with a bundled Java runtime so victims didn’t need Java installed.

Once executed, it harvests everything:

• Discord tokens - Immediate account takeover, bypassing 2FA entirely
• Browser passwords - Every password you’ve ever saved in Chrome, Firefox, Edge, Brave, or Opera GX
• Session cookies - Active logins to any site, no password needed
• Autofill data - Addresses, phone numbers, saved payment cards
• Browsing history - Everything you’ve visited
• Steam credentials - Gaming accounts
• Crypto wallets - MetaMask, Exodus, Electrum, browser extension wallets

The stealer decrypts Chrome passwords using Windows DPAPI and Firefox passwords using NSS libraries. It even attempts privilege escalation to SYSTEM to access protected data stores.

But here’s the nasty part: it injects malicious code into your Discord client itself. Even if you change your Discord password, the injected client captures your new token and sends it to the attackers. You have to completely uninstall and reinstall Discord to remove the injection.

All stolen data gets zipped up and uploaded to gofile.io for the attackers to retrieve.

This isn’t some script kiddie’s hobby project. The malware uses commercial obfuscation (Zelix KlassMaster, which costs hundreds of dollars) and contains a license key - it’s a Malware-as-a-Service product that the attackers purchased access to.

If you don’t pay: weaponized false reports

Here’s where it gets particularly nasty. When one victim refused to pay, the attackers used their compromised Discord account to spam CSAM solicitation messages in a group chat - messages the victim never wrote.

They screenshotted their own manufactured “evidence,” then reported the victim to Discord.

Discord banned the victim’s account.

The attackers created the violation, documented it, and reported it. All using accounts they’d stolen.

(For more information, see the case study here.)

Covering their tracks: locking you out of support

The attackers had another trick. Since they already had access to my email (via stolen session cookies), they tried to create a Discord support account using my email address before I could.

Here’s how it works:

1. They register for Discord support with your email - they can confirm it because they have your email session
2. They gamble that you don’t have push notifications for emails
3. They intercept and delete any confirmation emails from Discord support as they arrive
4. They set up their own 2FA on the support account

Now when you try to report the hack, you’re locked out. You can’t create a support account - one already exists with your email. You can’t password recover - you don’t have the attacker’s 2FA. You’re stuck.

I got lucky - I had already created a Discord support ticket for an unrelated matter a long time ago.

Others weren’t so fortunate.

Covering their tracks: locking you out of your email

The attackers had one more trick up their sleeve: they tried to permanently lock me out of my Gmail account.

Here’s how it works:

1. They change your Google account’s birthday to make you a minor
2. They add your account to a Google Family group they control
3. Google now treats you as a supervised child account

This is devastatingly effective. Child accounts under Google Family Link have severe restrictions - they can’t change recovery options, can’t remove supervision, and critically, can’t do anything without authorization from the family group administrator. If you try to recover your account, Google tells you to ask your parent.

The attacker is your parent now.

I got lucky. I was already the head of my own Google Family group. Google Family groups can’t be nested - you can’t add someone who’s already a family manager to another family as a child. Their attempt to add me to their family group failed silently.

If I hadn’t happened to set up a family group years ago for me and my wife, I might have permanently lost access to my Gmail.

I eventually got my account back

After about a week of back-and-forth with Discord support - submitting ID verification, explaining the compromise, providing evidence of the attack pattern - I recovered my account on January 6th.

But some of my contacts weren’t so lucky. They’re still dealing with the fallout.

What I’ve learned

Two-factor authentication wasn’t enough. The attackers got my Discord token directly, bypassing 2FA entirely. Session tokens don’t care about your second factor.

I’ve since:

• Revoked all active sessions
• Changed passwords on everything connected to that email
• Enabled hardware security keys where possible
• Started treating “hey can you test my game” messages with extreme suspicion, even from people I know

If someone you trust asks you to download something, verify through another channel first. A quick “hey, did you actually send this?” over SMS or a phone call takes thirty seconds and could save you months of headaches.

And if you do get extorted: don’t pay. They’ll take your money and attack you anyway.

Further reading

I’ve put together a detailed forensic analysis of the attack, including the social engineering tactics.

• Micro Stealer Campaign - Technical breakdown of the operation, along with actionable recommendations
• Extortion Case Study - What happened to one of my contacts

The victim in the case study gave permission to share their experience. Other names and identifying details have been sanitized.

If you were contacted by “me” on Discord between December 29th and January 6th asking you to test a game - assume your credentials are compromised.

I’m truly sorry this happened.

-J