Fruitbat Factory's Discord got breached

The Discord guild of Fruitbat Factory, among others the creators of the English localisation of the 100% Orange Juice game, was breached by an unknown malicious actor who acted out a social engineering attack similar to that of “Can you try out a game for me” Discord SCAM (Includes server to FLOOD) in the sense that a lot of members including the guild’s owner @PhleBuster were affected and their online accounts were stolen.

The attack was carried by coercing the guild members to download and run a malicious application (a Discord tokener), in this case disguised as a malicious videogame. It’s not known yet who is behind this scheme and this exact tokener as I haven’t been able to retrieve any hard evidence (nobody was willing to talk about it openly yet in any meaningful matter and I don’t have any information on hand to confirm or disprove anything as of speaking.) The attack itself was already reported to the Police and other related authorities by the guild owner PhleBuster.

Discord tokeners (alongside many other password stealing threats) are an increasing threat both in scale and impact with many malware families starting on this platform. This is further propped up by the sheer technical ease with which can such malware be constructed. It’s so easy in fact that even children can make an effective sample that can cause severe havoc.

This attack relies purely on the user to fail on their part as no real computer vulnerability is used in this attack. The only real purely technical measure you could take is to use a program that protects your Discord instance from arbitrary hooks and your data from arbitrary reads. Such hardened versions of the client exist but I wouldn’t recommend using them as I haven’t tested any of them yet. You could also configure your AV solution to protect your Discord Local Storage and Cookies. 2FA measures fail in this case and they don’t sufficiently protect against these threats.

What doesn’t help is Discord’s attitude towards such attacks. Not only is it extremely easy to steal other’s accounts with the use of Discord tokens (whether it’s a real design mishap or a clever sneaky tinfoily backdoor isn’t a thing that I can answer) but recovery of such accounts and guilds is extremely difficult, not if impossible. Fruitbat Factory representatives have repetitively contacted the Discord staff and support on several platforms to no avail, with the original guild staying compromised to the day of writing.

Motivations for such attacks are diverse, from plain revenge from angry malicious users, illegal private investigation to the plain finances of it. There are several criminal groups specialising in phishing, social engineering and even in advanced attacks such as real online identity fraud. A lot of these attackers organise in so-called “fraud servers” where they plan and organise such attacks and share their results with others. A lot of these guilds run additional scams (such as an invite and nitro scams or a fake illicit tool marketplaces) on top of their activities. (own research)

Fruitbat Factory has created a new Discord guild available here as a temporary replacement while the original server is lost (you may want to cross check this invite with their website as it could be compromised as well):

Please post if you have any information that might help the identification and mitigation of the attacker. If your information is private or otherwise sensitive you might want to contact your local authorities and an administrator of this forum who might be able to handle your information properly.