Someone sent me a tweet to inquire if what was said in the tweet is true and not another click bait tweet. After looking at the tweet and doing some OSINT we found that there is a malicious actor using a fake bot impersonating a real Discord bot.
The first screenshot is of the fake Discord bot page attempting to steal Discord Token, the second screenshot is the real Discord page for the Discord Bot. The fake site is located at
After reading what the fake site asks you to do it’s pretty obvious that it runs JS code through a bookmark. Let’s see what the bookmark really does by inspecting the element of “Drag Me”.
It seems to
eval some decoded base64 string, let’s decode the base64 string to see what it does.
Well it fetches a Discord attachments and
eval the code it gets from the URI. Of course it is obfuscated and needs to deobfuscated. It appears to grab
Username, Discord ID, Email, Token and forwards it to a Discord webhook. Since this post the webhook has been deleted and has been neutralized.