Fun Fact: They don't actually get banned, they use an alt and give ownership to the server, because when discord removes a server, it permanently bans the one who owns it from discord.
@@Minty. VPNs work almost all of the time. Short of Discord downloading it’s own malware onto your computer to monitor your devices you can easily evade a ban.
@@Asterion_Moloc_1 they can just hotspot from their phone and discord cant ban the hotspot IP because it is used by thousands of different ppl bc its mobile data
If this has happened to you. Reset your password ASAP! They get your discord token and they can login to your account. When you reset your password the token will reset as well and the hackers can’t login anymore. Discord has said this them selves. I hope this helps y’all.
They already "scan" images for being inappropriate, so I wonder how hard it would be to add a QR reader to that and if it's a 2FA link then uh oh, block that shit.
Honestly, this would be a nice feature the could add. They've proven it's possible with AutoMod, so why not add some code that scans messages sent and see if the QR Code results in a discord login token, then block it, at the minium. No one on discord should be sending QR Codes in chats that are associated with logging into discord. On top of this, another fix would be to add a timer on how long the QR Code lasts after being generated and only allowing the same IP Address that created the QR Code to scan the QR Code, although this could be problematic for people who aren't on the same network.
I actually thought of something like this trying to find ways to combat phishing, alongside this I'd say a good solution is detecting where the new log-in location is from and having you verify with your phone that it's you, if it detects a QR code and scans it, then the message receiver gets a new log-in attempt from let's say Russia, but they're from the US, the log-in attempt is paused until you accept the log-in request through your phone with 2FA Discord already has your location and scans every message for malicious content, so I don't see why they wouldn't do this to help fight an ever-growing problem in their platform, it would take just 2 more minutes since you already have your phone in hand
This is certainly a pretty dangerous scam since scanning QR codes is pretty trivial for phone cameras now, and I'd imagine in some cases a phone's camera app might just automatically open links as soon as they detect one. There will always be other scams but in this case if Discord could just auto-scan a QR code and check if it's a 2FA code, then the scam would pretty much be dead, since if Discord's QR-checker system can't detect the code, neither would a real user's phone camera.
Even if discord stops this scam people will eventually come up with new scam ideas Which is why I agree that there should be a penalty for malicious behavior
@@lazyfrog1718 I think the man means suing. People stealing information on discord that have no life’s should be sued. Pretty scary for those scumbags so it’ll work better than just a warning and a ban lmao
I fell victim to this scam, but I got my account back before they changed the email to it or anything so I would lose it completely. Thank God my nitro was paid for by a empty prepaid visa card. Only thing bad that happened that I was sad about is that people I friended but didn't have a mutual server with could have fell victim to the scam and I would have never known.
There should be no way to change your email because discord sends you a confirmation email to your email address to confirm that it's you wanting to change the email.
Same. As soon as I realized what happened I almost immediately changed my password. Luckily I didn’t have any credit card or personal info there besides my email and phone number.
@@Thefootqueen just add this problem too few hours ago. I deleted the bot in settings I think problem is resolve just all my friend receive the link lol.
@@ludaalt3147 well i think u don't have to do more things. Nothing change, no more problem for me so i suppose the bot only sent one time and not spamming
A update on the repo: The owner took it down, since they didn't want to cause any harm with it. Their words taken from the announcement channel: I recently learned that my project 'Fake-Verification-Bot' was used by many people in a malicious way to scam other people and I'm sorry for that. It is important to know that my work was never created to be used in this way but mainly to show people what it was possible to do just by using the API made available by discord. Since a TH-camr (with about 80k subscribers) recently made a video about this to warn people, I'm afraid that on the contrary, it will make this project much more known and therefore more used in a malicious way which would be a disaster. So I'm thinking about deleting this directory to avoid more damage or make it private.
3:53 As a bot programmer, I am not completely sold on the fact that the creator made this with malicious purposes. I enjoy making 'fake viruses' or 'fake virus bots' with any intention of harm, just to experiment with what I can do. I think the creator of the program might've thought the same, and really didn't mean to do any harm, or use the program himself. Edit: he actually confirmed this and deleted the repo, mentioned this video in his apology
@@franny6221 I post every single project online, even if they can be used maliciously, to build up a resume for potential future jobs. I do find it pretty suspicious that all of his projects have something to do with token logging, so he might use these projects himself. I don't know for sure...
Well the difference here is that you make "fake virusses" while this is actively used to scam people. This was NOT made for educational purposes, it was made to steal discord accounts maliciously, that "educational purposes" tag is so that github wont remove the repo. Look with your eyes, man.
@@bbernyy64 can't u make a private resume though? I'm genuinely asking because i have no idea about this, isn't there a better way to build a portfolio without endangering people's bank accounts?
@@franny6221 You can set it to private, but other companies / employers won't be able to see your work, which might decrease your chance at getting a job. If i noticed one of my projects was used in such a harmful way i would A. Private the repo or B. Create a backdoor and inform discord about these scams, and not leave it online. This guy might still very well be a scammer, but there is a small room for doubt.
Online scamming should be against the law and it should result in active punishment irl. Scammers are just too confident that they won't get any consequences from their actions.
As hi already pointed out, the issue with that is that international law is tricky, so passing a law in america to deal with scammers won't do much to help with all of the people scamming out of third world countries that don't tend to bother with those types of laws, and it's also a bit too small of a thing to even bother trying to get put into international law, even if that was regularly enforced.
Honestly the best solution Discord could do, even though I really don't want the images to be scanned (although its probably already happening...), is for Discord's Image API to find QR codes within images and cross verify them with their authentication system to prevent it. The QR code login feature is fantastic but since its been introduced its been used for so many scams. Although it may take a year(s) for them to actually implement it but thanks for bringing attention to it!
Two things: 2FA doesn't prevent token logging whatsoever (some people think this) You can't just scan a QR code and get immediately token logged. A token logger runs on your computer, and if it was possible to scan a QR and a program run on your computer without any intervention from you, I'm very sure that the hackers could do way more. What normally happens is either the QR code is a login from phone, and even then, Discord has a warning to not scan QR codes you don't trust, or it redirects to a fake Discord login screen, and that is easy to catch out with the URL being different. Too many people think that if you click a link/scan a QR you get instantly hacked, which is completely untrue. Edit: Token logging works, regardless of if you have 2FA on your account.
you are wrong the qr code is discords official login qr code and doesnt bring you to a fake login screen, it literally makes a new session and gives its token to the instance that generated the qr code, so yes they are simply token logging you by scanning the qr code.
im a little lost on this, what do people scan the QR code? just any qr scanner or the discord QR scanner that is supposed to make it easier to sign in?
If you scan a QR Code from discord. On your screen once you scan the QR Code you will get asked if this is you logging in. If the scammer clicks yes, they are logged in. I have tried logging in with a QR Code and I have 2FA It didn't ask me about a 2FA code. Unless they changed it, it doesn't ask for a 2FA code via a QR Code
Your token is what represents you account on everything. Each message you send, you're sending a request to Discord's servers, and together with that, your token, which is what tells discord who you are. If they have your token, your username, password, email, 2FA, etc. doesn't matter.
This morning a friend sent an invite to a server with the message: check what happened in #general, i cant believe it!. So i joined the server because i was curious but i saw i needed to verify. Luckily i was on discord mobile so i couldnt scan the QR code with my phone because i already was on my phone and i was too lazy to open discord on my laptop. First time that being lazy actually helped for me
Couldn't discord just have a bot scan every image to see if it contains a login QR code? They already scan for pornographic content which im guessing is a lot more resource intensive than just checking a QR code.
@@hi-kt3qr They already scan everything, including messages. Its used for advertising. Spyware is software that specifically spies on you after infecting a device you own, not data being collected from users by a company hosting the service. If you really want total privacy when using discord you're out of luck im afraid. So yeah, they should do it with QR codes.
@Sir Avian I mean you already need to contact discord and give them your photo ID if you want to do certain things with a bot, im sure it would be no big deal having to do it to post blacklisted QR codes. And yes it would be super easy, I could make a script that would do something similar in 30 minutes. Having it be able to check a ton of QR codes at once is another story but they already check for NSFW images which is some black magic fuckery lmao.
They should've invested in this instead of the whole porn filtering. The filter barely works at all. I am sending totally wholesome pictures, and it's flagged as porn because the skin color or what not. It's completely dumb. I have to cut the image in half, and hope that it goes thru (50% of the times it does)
I had one of my fav youtubers on my DM's months ago cuz like I wanna say "I'm your biggest fan!" like that, and however weeks later she messaged me the same message "Idk if it's you or..". I'm glad people are spreading awareness of this new scam method :)
The best way to slow them down is to rate limit their bot which I think it's possible by spam clicking the button with multiple peoples and that will make their server rate limits their access to Discord's API unless they have good proxies they would get rate limit for too many requests and it restrictes the IP for at least some hours at hard limit -commited from Taiwan
@@zagorxy8090 I have tired it before the issus is they will ban you after too many presses so this requires multiple people spam clicking that button at the same time
Had no idea about this, stumbled upon this and accidentally avoided the scam. Joined the server thought it was legit (obviously I know now it wasn't). Good thing is, I don't have a secondary device to scan a QR on, and my phone is so broken when it comes to scanning QR codes it wouldn't have even worked. Nice to know that me not having advanced technology for anything helped me for once. Great video as well, very informative
I got that message few days ago, and I joined their server. I clicked the verify button and it gave me the QR code which was to scan it to get access to the server, and within 5 minutes i notice something off, some people's nickname was changed to "this server is scam you must leave", and I felt a bit nervous. I left the server and reported it to the discord!
Discord should have a sort of test to help you better understand. I remember an update came to adopt me while I was monitoring my little sister on it, and it was a whole thing you had to go through to understand what kinds of scams there are and prove you know how to avoid them. Nothing annoying or too long, just something you have to go through in order to make an account. Personally, I'm very good at not falling for scams, but some people are not. A server owner everybody trusted was warning people about a scam, and pinged *everyone* with the link to the scam. Some people didn't see the part telling them not to click it, and multiple people lost their accounts, it took us a while to get some back but we didn't recover them all.
Dont talk about things you dont understand. Non malicious by default virus/exploit concepts help educate people and developers(including discord) on a paticular issue.
Just got one today, scared me, saw a qr code, instantly knew something was off. Thank fuck I didn't scan it. Instantly searched up discord qr code scam and you came up! Thank you :)
"Good" hackers usually publish stuff like this to put some pressure on companies to actually fix the issue, this QR code scam has been known for years and yet here we are.
Wouldn’t say at all that the dev is using it, I’ve developed malicious stuff only meant to be tested on yourself such as a token grabber, the problem lies when you decide to deploy it, it being open source has nothing to do with the people who fork the projects intentions.
@@somedude-vp9ti that can be used to pentest it actually serves a good purpose, this on the other hand only serves one bad purpose. i can’t see how it can be used in a not bad way
@@undefinedchannel9916 so code that shows a severely broken security model discord (a company that seems to not even care seeing all of the security exploits over the years) has only can serve a bad purpose? It also makes no sense why he would publicly post it
@@somedude-vp9ti doesnt make much sense. publishing a specifically harmful tool makes you liable to what others do with it, so it is fine to say the dev is acting in bad faith. if he wanted to showcase Discord's broken QR code system then he couldve just made a video about it, or run an experiment with it that would tell users they could have just been hacked, etc.
I have been scammed with a the discord fake games thing a long time ago not the qr codes but the name of the repo dev sounded familiar and the fact that they were in france made it even more familiar. Turns out when I got scammed I (tried to) decompiled the python exe file and through searching found a github repo. I continued talking with the guy who had sent me the Token grabber and got my way to find their phone number, rough location and their discord. I added them in friends and wasted their time by for maybe an hour or two. I got them banned from discord but heh they just made new accounts but im happy I pissed them off. And in their bio's they had a fake nitro website that I reported and it went down pretty quickly. Anyway great video and I definitely didn't expect to hear about the same idiots again
a good way to tell if its a scam if you have better discord installed you can get show hidden channels to see if there are any that are locked chances are they dont exist
This one almost got me, Though I reported the server and within an hour they banned the server which was great! I warned my friends about the scam and they didn't know about the server so hey, at least they won't fall for it!
6:50 they should add it so, when you press the button, you will get redirected to a part of the login where there is the warning, and you will have to check the box where it has next to it "I understand and accept", and then after 5 seconds, you should be able to log in. Discord definitely should warn people with a proper message like i just described.
I recently got a weird message from a friend inviting me to a server, upon doing so, I was asked to verify with a QR code, got a weird feeling, googled it, and found this video, I checked the logs of that said friend on mutual servers and saw that multiple people fell for it and got their account stolen, sad to see, glad you made this video, saved me from losing a loaded account
No Text To Speech: “Why would anyone share a scam bot program if they’re not scamming people?” Also No Text To Speech: “Today I’m going to show you how to speed run making a scam server.”
This QR code login thing is ridiculous from a cybersecurity standpoint. There's a reason why you don't see other big websites do it ; it's extremely easy to social engineer people into scanning a QR code as they're often seen as just pieces of data that can be read without consequences (and that's fundamentally what they are, except when companies use them for confusing purposes). This login feature is extremely dangerous, you don't reinvent the wheel like that when you're just a VC-funded company that invests more into looks and ease-of-use than actual security.
Definitely, scammers need to face serious legal consequences. This has become pretty ridiculous and almost only has upsides for the scammer since he/she will quite easily find some victims and further spread the scam. Besides an account ban, hardware and IP blacklisting, Discord needs to file police reports against scammers in their home countries according to their IPs etc.
The home countries have no jurisdiction to enforce United States law, it will always be US law because Discord is located in the united states of america
You're a good person @No Text To Speech for making people aware on this situation , its still happening months later as it almost just happened to me !
I’ve fallen for this before and it made me look extremely dumb. In addition, I bought nitro as a gift a long time ago and discord autosaved the info to the billing section which is just stupid. Safety measures have been taken and I’m completely safe now, but god that was unnecessary and discord really needs to scan for malicious qr codes, remove tokens being able to bypass 2fa or if it’s possible, remove tokens as a whole, or remove QR codes as a whole. I wish I could’ve seen this video earlier.
So does that mean even if I joined the server but as long as you didn't scan anything , nothing will happen? Bcs for me I joined , but I left the server immediately , didn't scan the QR code at all, didn't even know there was one
I had a gut feeling that this was a scam when I had a friend send it to me. I almost clicked it, but decided to wait a little bit. Then, a second friend got hacked, and I received the same exact message with very slight changes, and then I was 100% certain. Both got their accounts back, so that's a good thing.
I've never trusted those DMs I get from my friends. If something sounds wrong, it probably is. It never hurts to ask and probe your friend for more information if you're unsure! It's better to be safe than sorry.
Update on AstraaDev 10-7-2022: Currently it seems like he took his github repo offline or private. My opinion: I agree with the idea that the makers of these tools should be looked at critically however, I do question if he really was malicious. He could have easily sold it without the repository being public. Making a repository public is a stupid move for a highly malicious user. The fact that he took it private now, but made it public to being with makes me question his intentions. Maybe he wasn't malicious after all, or maybe he only did so because he got caught?
One thing i've recently noticed is that these servers are then moving away from verification and impersonating "official" servers for stuff like games to try to scam people. I mod a server and someone reported a scammer and when we asked them for a link to the "server" they moderate, they actually linked to a somewhat reasonable impersonation of the server that was likely rebranded after using this method (had like 20k members, level 3, vanity url, but was still obviously fake as all the channels were empty and you couldnt verify).
Idea 1: fully remove qr codes Idea 2: have discord automatically block images with discord qr codes (because literally no one uses this to send to friends anyway)
Recently, there was an announcement in the owner's Discord server stating that he never created it for malicious reasons, but for showing how vulnerable Discord's API is, he mentioned your previous video on this scam. "Since a TH-camr (with about 80k subscribers) recently made a video about this to warn people, I'm afraid that on the contrary, it will make this project much more known and therefore more used in a malicious way which would be a disaster." 1 hour later he made the repository private. Good job for making a video on the scam.
While it was public, I used it for testing reasons using my alt account, upon scanning the code it almost instantly sends the information to the logs channel and starts direct messaging the victims friends. The ad I designed for the test got a lot of attention, out of about 50 friends, about 25-30 joined the test server, which had no scam, just a channel to talk in, but obviously they later left. Since verification is really common in Discord servers, I understand how the scammers logged this many victims. The project has gone private, not been deleted, meaning the owner can still share it amongst anyone of his choice and continue to update it. I personally don't scam myself, but rather use these tools for testing purposes on either myself or a friend (obviously with their permission). After using these tools grabbing tools for a while, I have seen how easy it is to setup, how to reverse engineer them, and also how well maintained they are, the most popular one known as "Hazard v2" gets updated every few days, the most well maintained one that is public, top of the repository list when you search "Discord Token Grabber".
Here is some information me and a group of people have found: It's hosted mainly in Bangladesh and Romania. It grabs your discord token, but your discord token gets reset when you change your password, discord has said it themselves. A lot of misinformation is being spread about this to make people scared. There is about a five-minute delay the bot takes between you scanning the code and you getting hacked. It doesn't change your password nor unadd your friends as my friends account is completely fine except it sent it to everyone on their friend's list. Hope this helps.
some of them do unadd your friends (blocks them). also you didn't watch the video seemingly; it doesn't matter if your token changes as they already have all your user data and possibly personal information. and there is no delay between scanning and you getting 'hacked', unless the bot maker added that in themselves.
This happened to me a week ago, however it's incredibly easy to get everything back to normal, just don't log out of your account. With the qr code they can't get your password, and if you change your password on discord, it will log out every device your account is on. Then just go to settings and see all of your blocked users, then unblock them, it's that easy.
I just was going to scan qr code but I remembered that servers don't usually ask for human verification with qr code soo I search about this and got ur video Thx❤️
Seems like the heart of the issue is the lack of innovation and having such a basic sad sack of a method for keeping track of people's accounts such as a token system
This has been going around again, one of my friends was hacked. There was no long winded message about leaked pictures, it was just "Yo join this discord real quick". I have scan all messages enabled on my account, so the scary part is it doesn't look like it's being picked up by discord.
Honestly, it was a pretty dumb idea in the first place to allow QR code login. First time I saw it as a login option I thought to myself: "Yeah, that's gonna end well."
@@bbernyy64 its more like 1. grab your phone 2. open discord 3. scan qr code 4. click yes when discord asks if you want to login on that device 5. fall victim to their scam
I think the same. ⚠️ *1:* Discord should add some big warning while scanning or some big warning once you log in (only once) that tells you to watch out for scams and tells you some security tips 🔒 *2:* Most important way how to stop scammers is just to do something that will be scammers afraid of. Like that sue. Scammers will be afraid of jail. So they wouldn't do it because you cannot just create new life when you go into jail. So some huge action should be in place. 📜 *3:* People, share like me this video with discord staff under the "Suggestion" category in a ticket so Discord will take some ideas, etc. from this video. It will help and NTTS deserves it. 📌 *4:* Pin this comment, please.
There are 2 warnings while scanning a log in qr code. in red text there is written "Only scan QR code directly take from your browser. Never use a QR code sent to you by another user" and the blue button says "Yes, log me in".
That github repository is the reason dangerous code should be protected from the public. There will always be a nefarious figure that will turn a good intentioned vulnerability point out into a fully fledged attack.
it should be shared publicly so people can chose to educate themselves on what is happening with these QR code scams or info security in general. It would be worse if it was not available, then only those who find or buy these methods public or not would use them. The same ones who use these techniques to their best gain.
@@hi-kt3qr this has nothing to do with proprietary software, he's only saying that *dangerous* code should not be public, he doesn't say anything about code in *general*
If I'm being honest, the whole "you sent a girl nudes so join this server or I'm blocking you" is so over the top and laughably hard to believe. Especially if its sent so many times with literally no change. You know, if I were them, I'd make it a hell of a lot more subtle, like "hey join this server rn" You'd expect dms like that. But hey, I'm not them and I don't plan on ever being them.
I got something similar, the one I got just said something like check general. Luckily I never clicked it but that’s a longer story on why. Thanks for making people aware. I hope Discord can better protect and handle this in the future. It makes sense why it keeps happening especially if they get income from it but sadly I do not see Discord suing, it’s happening to users not them. Only way they might is if people start saying they won’t use Discord due to the risk/issue.
happened to get scammed and it sent links to my whole friends list, im truly terrified if anything of my personal info gets leaked. please dont trust these i have created a new account never scan suspicious links.
Fell victim to this scam a second ago! Just secured my account and fixed all the crap with it... Even after 5 months of this video being posted Discord hasn't done A SINGLE THING to stop the scammers in their tracks.
Thanks for the video. Got a DM from guy I played Tarkov with in another server with a server link to join. Wanted me to scan a QR code to verify the red alert in my head went off. Quickly searched on TH-cam and looks like I was right.
I fell for this 2 days ago.....sent invites to everyone and some servers. It stopped sending after I changed my password and I explained to my friends about falling for the QR Code scam. Most servers already knew that I fell for it so it made it easier to explain that I resolved the issue by changing my password as it changes the token.
This happened to me 2 weeks ago. This honestly scared me because I don't remember doing anything that's remotely wrong. But thank God my QR scanner failed on me after learning the truth about it
Ikr! One idea that they could use is making the tokens so that they are e2e encrypted. That way, only your computer, and discord's servers would know your token, making it impossible to get token logged. I really hope discord does something like this, because currently, account stealing is way too easy!
i remember the first time i got this i almost scanned the rq code, i entered the server and pressed a verify button, but inmmediately left it after i got warned on some stuff, luckily, that was some months ago and nothing happened to my account, i really got scared when i heard i was "exposed", plus it was fishy
Thanks for this video, with all of your statements, I agree with them all and it’ll definitely discourage people to scam other people on Discord. I decided to like the video and Subscribe to your channel. I appreciate your hard work, and I hope the future ahead of us, will be better and less worrisome with less or no scams at all which is what I hope for. 😁
0:02 yeah, I was one of the first people to recognize and report this scam, thank god I didn't click join because there was just something hella sketchy about it.
it's not really. the discord developers gave everyone exactly what they needed to start qr phishing, with the qr code login feature. this scam has been around for years and nothing has been done, it's only getting attention now because of a particularly successful version of it.
A few days ago I fell for that scam, and yesterday, the hacker tried to join crypto scamming servers to bot people and send them a scam message. I instantly changed my password and two-factor authentication back-up codes so that mother trucker can't get in. Stay safe people, there guys aren't fooling around, but so are we!
Fun Fact: They don't actually get banned, they use an alt and give ownership to the server, because when discord removes a server, it permanently bans the one who owns it from discord.
i mean they can create another account, and create another server lol
@@Asterion_Moloc_1 vpns exists tho
@@b4ndoshysty vpns sometimea dont work
@@Minty. VPNs work almost all of the time. Short of Discord downloading it’s own malware onto your computer to monitor your devices you can easily evade a ban.
@@Asterion_Moloc_1 they can just hotspot from their phone and discord cant ban the hotspot IP because it is used by thousands of different ppl bc its mobile data
If this has happened to you. Reset your password ASAP! They get your discord token and they can login to your account. When you reset your password the token will reset as well and the hackers can’t login anymore. Discord has said this them selves. I hope this helps y’all.
It just happened to me, it sent the server link to everyone in private messages, but I deleted every link again by hand and changed password.
@@Snoop_D0gg me too bro it was so embarrassing
hi bro what happen when you scan the qr using google lens?
thank you 😭
Help what do I do this has happed to me and I cant get into my disord I dont get the 6 digits pls help im begging been like 3 hours now
i love that there’s minecraft music in the background
Lmao
man talks about serious scam where people can get person info and sensitive info, (casually puts minecraft music in the background)
@@rezmoon yez
Minecraft easily has the best music
i started thinking of that and then like literally not kidding, not, exaggerated 1.3 seconds later i looked down and saw this comment
They already "scan" images for being inappropriate, so I wonder how hard it would be to add a QR reader to that and if it's a 2FA link then uh oh, block that shit.
Honestly, this would be a nice feature the could add. They've proven it's possible with AutoMod, so why not add some code that scans messages sent and see if the QR Code results in a discord login token, then block it, at the minium. No one on discord should be sending QR Codes in chats that are associated with logging into discord. On top of this, another fix would be to add a timer on how long the QR Code lasts after being generated and only allowing the same IP Address that created the QR Code to scan the QR Code, although this could be problematic for people who aren't on the same network.
@@ThatProgrammer Same network restriction would be problematic because if someone is on data and they scan the QR code, that's not gonna work.
I actually thought of something like this trying to find ways to combat phishing, alongside this I'd say a good solution is detecting where the new log-in location is from and having you verify with your phone that it's you, if it detects a QR code and scans it, then the message receiver gets a new log-in attempt from let's say Russia, but they're from the US, the log-in attempt is paused until you accept the log-in request through your phone with 2FA
Discord already has your location and scans every message for malicious content, so I don't see why they wouldn't do this to help fight an ever-growing problem in their platform, it would take just 2 more minutes since you already have your phone in hand
This is certainly a pretty dangerous scam since scanning QR codes is pretty trivial for phone cameras now, and I'd imagine in some cases a phone's camera app might just automatically open links as soon as they detect one. There will always be other scams but in this case if Discord could just auto-scan a QR code and check if it's a 2FA code, then the scam would pretty much be dead, since if Discord's QR-checker system can't detect the code, neither would a real user's phone camera.
It seems like Discord already has a confirmation screen for the QR code. It says are you trying to log in.
Props to you for bringing awareness to this scam, I almost fell victim to this!
Good that it was just almost, and not completely.
how bro
i fell for it but dont have any personal details on there so i changed my password
My friend fell for it
@@yeetmeme2421 idk man, it usually should be pretty easy to avoid these things
Even if discord stops this scam people will eventually come up with new scam ideas
Which is why I agree that there should be a penalty for malicious behavior
you think they just don't do anything about it? lmaoaoaoa
@@lazyfrog1718 I think the man means suing. People stealing information on discord that have no life’s should be sued. Pretty scary for those scumbags so it’ll work better than just a warning and a ban lmao
@@AmaanPlayZ how are they going to obtain the legal info to sue?
@@lazyfrog1718 stealing money (Using their money to buy nitro, etc.), stealing up addresses, etc.
@@barneyassman no, how will discord get enough information on the person to sue them?
I fell victim to this scam, but I got my account back before they changed the email to it or anything so I would lose it completely. Thank God my nitro was paid for by a empty prepaid visa card. Only thing bad that happened that I was sad about is that people I friended but didn't have a mutual server with could have fell victim to the scam and I would have never known.
There should be no way to change your email because discord sends you a confirmation email to your email address to confirm that it's you wanting to change the email.
Same. As soon as I realized what happened I almost immediately changed my password. Luckily I didn’t have any credit card or personal info there besides my email and phone number.
@@Thefootqueen just add this problem too few hours ago. I deleted the bot in settings I think problem is resolve just all my friend receive the link lol.
I fell victim to this scam too, ive only changed my password and add F2A authentication, am I still fucked or is there anything else I have to do?
@@ludaalt3147 well i think u don't have to do more things. Nothing change, no more problem for me so i suppose the bot only sent one time and not spamming
A update on the repo: The owner took it down, since they didn't want to cause any harm with it. Their words taken from the announcement channel:
I recently learned that my project 'Fake-Verification-Bot' was used by many people in a malicious way to scam other people and I'm sorry for that.
It is important to know that my work was never created to be used in this way but mainly to show people what it was possible to do just by using the API made available by discord.
Since a TH-camr (with about 80k subscribers) recently made a video about this to warn people, I'm afraid that on the contrary, it will make this project much more known and therefore more used in a malicious way which would be a disaster.
So I'm thinking about deleting this directory to avoid more damage or make it private.
they are a freelance dev. they probably got commissioned to do this
At least he had the decency to take the repository down.
Lmao already cloned it. For personal use 😇
@@matthew78917 give me it uwu
@@Ribs351 anti open source losers everything you have downloaded that is propriety is probably spyware by definition
3:53 As a bot programmer, I am not completely sold on the fact that the creator made this with malicious purposes. I enjoy making 'fake viruses' or 'fake virus bots' with any intention of harm, just to experiment with what I can do. I think the creator of the program might've thought the same, and really didn't mean to do any harm, or use the program himself.
Edit: he actually confirmed this and deleted the repo, mentioned this video in his apology
why would they post the virus online though
@@franny6221 I post every single project online, even if they can be used maliciously, to build up a resume for potential future jobs. I do find it pretty suspicious that all of his projects have something to do with token logging, so he might use these projects himself. I don't know for sure...
Well the difference here is that you make "fake virusses" while this is actively used to scam people. This was NOT made for educational purposes, it was made to steal discord accounts maliciously, that "educational purposes" tag is so that github wont remove the repo. Look with your eyes, man.
@@bbernyy64 can't u make a private resume though? I'm genuinely asking because i have no idea about this, isn't there a better way to build a portfolio without endangering people's bank accounts?
@@franny6221 You can set it to private, but other companies / employers won't be able to see your work, which might decrease your chance at getting a job. If i noticed one of my projects was used in such a harmful way i would A. Private the repo or B. Create a backdoor and inform discord about these scams, and not leave it online. This guy might still very well be a scammer, but there is a small room for doubt.
Online scamming should be against the law and it should result in active punishment irl. Scammers are just too confident that they won't get any consequences from their actions.
Your right because there are zero consequences and Discords team is dogshit.
it does, but as you said, they get away with it
Help what do I do this has happed to me and I cant get into my disord I dont get the 6 digits pls help im begging
thats hard to enforce because the US isnt the only country on earth
As hi already pointed out, the issue with that is that international law is tricky, so passing a law in america to deal with scammers won't do much to help with all of the people scamming out of third world countries that don't tend to bother with those types of laws, and it's also a bit too small of a thing to even bother trying to get put into international law, even if that was regularly enforced.
Honestly the best solution Discord could do, even though I really don't want the images to be scanned (although its probably already happening...), is for Discord's Image API to find QR codes within images and cross verify them with their authentication system to prevent it. The QR code login feature is fantastic but since its been introduced its been used for so many scams.
Although it may take a year(s) for them to actually implement it but thanks for bringing attention to it!
They can better Make the qr code refresh every few seconds and add a small extra code under it to make it dubbed verify. So they can’t steal anymore
Bots could have a legitimate use for QR codes, BUT! Discord should detect Discord's login QR codes, not ban every QR code.
they can read the Qr code and see if it redirects to a discord auth url, and then block the image.
it's really simple to solve...
They do already scan images for explicit content, of which you can block in your settings
@@JasonHorkles true but the filter is horrible and has false positives all the damn time
Two things:
2FA doesn't prevent token logging whatsoever (some people think this)
You can't just scan a QR code and get immediately token logged. A token logger runs on your computer, and if it was possible to scan a QR and a program run on your computer without any intervention from you, I'm very sure that the hackers could do way more. What normally happens is either the QR code is a login from phone, and even then, Discord has a warning to not scan QR codes you don't trust, or it redirects to a fake Discord login screen, and that is easy to catch out with the URL being different.
Too many people think that if you click a link/scan a QR you get instantly hacked, which is completely untrue.
Edit: Token logging works, regardless of if you have 2FA on your account.
you are wrong
the qr code is discords official login qr code and doesnt bring you to a fake login screen, it literally makes a new session and gives its token to the instance that generated the qr code, so yes they are simply token logging you by scanning the qr code.
im a little lost on this, what do people scan the QR code? just any qr scanner or the discord QR scanner that is supposed to make it easier to sign in?
This is an official discord login qr code. The scammer will just get automaticly logged into your discord Account
If you scan a QR Code from discord. On your screen once you scan the QR Code you will get asked if this is you logging in. If the scammer clicks yes, they are logged in. I have tried logging in with a QR Code and I have 2FA It didn't ask me about a 2FA code. Unless they changed it, it doesn't ask for a 2FA code via a QR Code
Your token is what represents you account on everything. Each message you send, you're sending a request to Discord's servers, and together with that, your token, which is what tells discord who you are. If they have your token, your username, password, email, 2FA, etc. doesn't matter.
Discord needs to retire the QR code feature. I think it's causing more damage than it is helpful.
True. And I don’t even use QR Code at all whatsoever
Not really someone like me is just lazy and use it, it's a useful feature but unfortunately it got abused
i use it so i hope they dont
@@hi-kt3qr i use it
@@hi-kt3qr i use it because i keep forgetting my main account's password in pc but my phone is logged in so yea
This morning a friend sent an invite to a server with the message: check what happened in #general, i cant believe it!. So i joined the server because i was curious but i saw i needed to verify. Luckily i was on discord mobile so i couldnt scan the QR code with my phone because i already was on my phone and i was too lazy to open discord on my laptop. First time that being lazy actually helped for me
my content is beter
@@ruinsfnbr776 cope
@@ruinsfnbr776 the only thing you posted is a fortnite XP glitch. Stop trying to advertise your channel
@@ruinsfnbr776 bro you cant even spell better right
And this is why I don't hate the fact that I'm the laziest girl out there.
I love how the QR code on the thumbnail brings you to this video. You missed a perfect chance for a rickroll
Couldn't discord just have a bot scan every image to see if it contains a login QR code? They already scan for pornographic content which im guessing is a lot more resource intensive than just checking a QR code.
@Sir Avian For example, the REAL Wick uses google authenticator WITH A QR CODE.
thats spyware you would feel safe having everything you send scanned?
@@hi-kt3qr They already scan everything, including messages. Its used for advertising. Spyware is software that specifically spies on you after infecting a device you own, not data being collected from users by a company hosting the service.
If you really want total privacy when using discord you're out of luck im afraid.
So yeah, they should do it with QR codes.
@Sir Avian I mean you already need to contact discord and give them your photo ID if you want to do certain things with a bot, im sure it would be no big deal having to do it to post blacklisted QR codes.
And yes it would be super easy, I could make a script that would do something similar in 30 minutes. Having it be able to check a ton of QR codes at once is another story but they already check for NSFW images which is some black magic fuckery lmao.
They should've invested in this instead of the whole porn filtering. The filter barely works at all. I am sending totally wholesome pictures, and it's flagged as porn because the skin color or what not. It's completely dumb. I have to cut the image in half, and hope that it goes thru (50% of the times it does)
Imagine if this dude is behind the scam the entire time and he’s making these videos to cover it up lmao. This prolly isn’t right but imagine
Could be because. He knows
I had one of my fav youtubers on my DM's months ago cuz like I wanna say "I'm your biggest fan!" like that,
and however weeks later she messaged me the same message "Idk if it's you or..".
I'm glad people are spreading awareness of this new scam method :)
Something similar happened to one of mine but it was a "Free Nitro" Scam on their server (It was like 4am when that happened so I was sleeping)
The best way to slow them down is to rate limit their bot which I think it's possible by spam clicking the button with multiple peoples and that will make their server rate limits their access to Discord's API unless they have good proxies they would get rate limit for too many requests and it restrictes the IP for at least some hours at hard limit
-commited from Taiwan
Unless if they counteract it to not run the script again for the same person, which can be done with a line or two of code I believe
yeah you go first 💀💀
@@zagorxy8090 I have tired it before the issus is they will ban you after too many presses so this requires multiple people spam clicking that button at the same time
Good idea!
No, thats not how it works. If you spam the button then you get rate limited not the bot.
Had no idea about this, stumbled upon this and accidentally avoided the scam. Joined the server thought it was legit (obviously I know now it wasn't). Good thing is, I don't have a secondary device to scan a QR on, and my phone is so broken when it comes to scanning QR codes it wouldn't have even worked. Nice to know that me not having advanced technology for anything helped me for once. Great video as well, very informative
Same
his voice is so chill
I'm so glad nothing happened to me when I fell for this, guess I was just really fast in changing my password and removing my billing info
They got your billing info if you got token logged before removing it
My accounted was removed 2 days later :(
@@karlito1501 if I change the password and email very quickly after scanning the code, will that prevent them from accessing my account?
@@zifor5395 they use a script so probably not
I got that message few days ago, and I joined their server. I clicked the verify button and it gave me the QR code which was to scan it to get access to the server, and within 5 minutes i notice something off, some people's nickname was changed to "this server is scam you must leave", and I felt a bit nervous. I left the server and reported it to the discord!
I got the message and cried because I lost contact with my best friend, they fell victim to it and deleted their amino account
@@RimFaxxe So sorry for that
Same it just happened to me 😭 now I have to find who else my acc sent the massage to so I can tell them it’s a scam
Discord should have a sort of test to help you better understand. I remember an update came to adopt me while I was monitoring my little sister on it, and it was a whole thing you had to go through to understand what kinds of scams there are and prove you know how to avoid them. Nothing annoying or too long, just something you have to go through in order to make an account. Personally, I'm very good at not falling for scams, but some people are not.
A server owner everybody trusted was warning people about a scam, and pinged *everyone* with the link to the scam. Some people didn't see the part telling them not to click it, and multiple people lost their accounts, it took us a while to get some back but we didn't recover them all.
Help what do I do this has happed to me and I cant get into my disord I dont get the 6 digits pls help im begging
@@nicksartandgaming1151 Dunno what you mean
3:20 This was made exactly for what it is being used to, this disclaimer is here just so github doesn't ban the repo
Yeah, I have seen youtubers literally upload videos on how to use these bots and all of them have "educational purposes"
@ChannelForGamers search for server delete or ban all bots or somethin, it has been a long time since I saw one
Dont talk about things you dont understand. Non malicious by default virus/exploit concepts help educate people and developers(including discord) on a paticular issue.
so umm, why make it public then
@@something4922 I'm a developer so I know exactly what I'm talking about. You are perfect r/iamverysmart material
Just got one today, scared me, saw a qr code, instantly knew something was off. Thank fuck I didn't scan it. Instantly searched up discord qr code scam and you came up! Thank you :)
the fact the qr code in the thumbnail isn't a rickroll is a missed opportunity
and it isnt in the video. This made me sad
the qr code in the video*
after seeing this, i'm developing my own bot which sends you to a rickroll. thanks for the idea!
@@devuxious you genius
@@devuxious ultimate scam bot
"Good" hackers usually publish stuff like this to put some pressure on companies to actually fix the issue, this QR code scam has been known for years and yet here we are.
Wouldn’t say at all that the dev is using it, I’ve developed malicious stuff only meant to be tested on yourself such as a token grabber, the problem lies when you decide to deploy it, it being open source has nothing to do with the people who fork the projects intentions.
Yeah, its just unfounded garbage, its like saying everyone who worked on Metasploit did it for bad reasons
@@somedude-vp9ti that can be used to pentest it actually serves a good purpose, this on the other hand only serves one bad purpose. i can’t see how it can be used in a not bad way
@@undefinedchannel9916 so code that shows a severely broken security model discord (a company that seems to not even care seeing all of the security exploits over the years) has only can serve a bad purpose?
It also makes no sense why he would publicly post it
@@somedude-vp9ti doesnt make much sense. publishing a specifically harmful tool makes you liable to what others do with it, so it is fine to say the dev is acting in bad faith. if he wanted to showcase Discord's broken QR code system then he couldve just made a video about it, or run an experiment with it that would tell users they could have just been hacked, etc.
@@avant4035 "publishing a specifically harmful tool makes you liable to what others do with it", no?
I have been scammed with a the discord fake games thing a long time ago not the qr codes but the name of the repo dev sounded familiar and the fact that they were in france made it even more familiar. Turns out when I got scammed I (tried to) decompiled the python exe file and through searching found a github repo. I continued talking with the guy who had sent me the Token grabber and got my way to find their phone number, rough location and their discord. I added them in friends and wasted their time by for maybe an hour or two. I got them banned from discord but heh they just made new accounts but im happy I pissed them off. And in their bio's they had a fake nitro website that I reported and it went down pretty quickly.
Anyway great video and I definitely didn't expect to hear about the same idiots again
a good way to tell if its a scam if you have better discord installed you can get show hidden channels to see if there are any that are locked chances are they dont exist
You definitely earned a sub, you teached and showed me things of the most important which no other youtuber would ever do
This one almost got me, Though I reported the server and within an hour they banned the server which was great! I warned my friends about the scam and they didn't know about the server so hey, at least they won't fall for it!
6:50 they should add it so, when you press the button, you will get redirected to a part of the login where there is the warning, and you will have to check the box where it has next to it "I understand and accept", and then after 5 seconds, you should be able to log in. Discord definitely should warn people with a proper message like i just described.
"If you use this, you are a peace of garbage"
a little later, he literally shows the whole process
I recently got a weird message from a friend inviting me to a server, upon doing so, I was asked to verify with a QR code, got a weird feeling, googled it, and found this video, I checked the logs of that said friend on mutual servers and saw that multiple people fell for it and got their account stolen, sad to see, glad you made this video, saved me from losing a loaded account
Discord should fix this problem
y
e
s
how can they fix it their is nothin they can do
no shit
@RIARO so do you want them to not allow people to use custom bots..
@@unit5960 literally just remove the qr code to login lmao ez solve
Glad I found this! My friend recently got hacked by one of these and I sent this to her because of the concerning information about this scam-
No Text To Speech: “Why would anyone share a scam bot program if they’re not scamming people?” Also No Text To Speech: “Today I’m going to show you how to speed run making a scam server.”
This QR code login thing is ridiculous from a cybersecurity standpoint. There's a reason why you don't see other big websites do it ; it's extremely easy to social engineer people into scanning a QR code as they're often seen as just pieces of data that can be read without consequences (and that's fundamentally what they are, except when companies use them for confusing purposes). This login feature is extremely dangerous, you don't reinvent the wheel like that when you're just a VC-funded company that invests more into looks and ease-of-use than actual security.
Definitely, scammers need to face serious legal consequences. This has become pretty ridiculous and almost only has upsides for the scammer since he/she will quite easily find some victims and further spread the scam. Besides an account ban, hardware and IP blacklisting, Discord needs to file police reports against scammers in their home countries according to their IPs etc.
Help what do I do this has happed to me and I cant get into my disord I dont get the 6 digits pls help im begging
@@nicksartandgaming1151 Try to contact the support then if all else fails
The home countries have no jurisdiction to enforce United States law, it will always be US law because Discord is located in the united states of america
You're a good person @No Text To Speech for making people aware on this situation , its still happening months later as it almost just happened to me !
0:45 "This QR code doesn't work so no need to blur" SMILLY FACE :)
I was hopping to scan it and get Rick Roll. 😒
i love how this guy explains us how to limitless scamm people and also showing us how to avoid getting scammed
I’ve fallen for this before and it made me look extremely dumb. In addition, I bought nitro as a gift a long time ago and discord autosaved the info to the billing section which is just stupid. Safety measures have been taken and I’m completely safe now, but god that was unnecessary and discord really needs to scan for malicious qr codes, remove tokens being able to bypass 2fa or if it’s possible, remove tokens as a whole, or remove QR codes as a whole. I wish I could’ve seen this video earlier.
I changed my password in my discord and email, am i safe now?
my roblox got unlogged which is scary help me
I almost fell for this. I joined the server, but I realized how fishy it was when it started asking me to send a QR Code. I didn't scan it.
Me too
So does that mean even if I joined the server but as long as you didn't scan anything , nothing will happen? Bcs for me I joined , but I left the server immediately , didn't scan the QR code at all, didn't even know there was one
i scanned it bruh help me
Mass reporting or mass media of this scam can help. Now media platforms are getting in trouble just for people posting the same shit over and over.
I had a gut feeling that this was a scam when I had a friend send it to me. I almost clicked it, but decided to wait a little bit. Then, a second friend got hacked, and I received the same exact message with very slight changes, and then I was 100% certain. Both got their accounts back, so that's a good thing.
No Text To Speech + C418 damn, Anyway Thanks for the information
عندك رابط السيرفر؟
@@ruinsfnbr776 اي سيرفر
C418 is always good.
I've never trusted those DMs I get from my friends. If something sounds wrong, it probably is. It never hurts to ask and probe your friend for more information if you're unsure! It's better to be safe than sorry.
Update on AstraaDev 10-7-2022:
Currently it seems like he took his github repo offline or private.
My opinion:
I agree with the idea that the makers of these tools should be looked at critically however, I do question if he really was malicious. He could have easily sold it without the repository being public. Making a repository public is a stupid move for a highly malicious user. The fact that he took it private now, but made it public to being with makes me question his intentions. Maybe he wasn't malicious after all, or maybe he only did so because he got caught?
One thing i've recently noticed is that these servers are then moving away from verification and impersonating "official" servers for stuff like games to try to scam people.
I mod a server and someone reported a scammer and when we asked them for a link to the "server" they moderate, they actually linked to a somewhat reasonable impersonation of the server that was likely rebranded after using this method (had like 20k members, level 3, vanity url, but was still obviously fake as all the channels were empty and you couldnt verify).
Before they stole actual servers and sold them now they bot servers and sell 'em
Nobody would even think of making a scam bot or a hack, then release it to the public and not use it to scam or hack
well my friend have you ever heard of the job description 'security researcher'
and it's not like the 'good' people don't create tools like these, I mean what is the best way to learn how to stop a hacker than to become a hacker
after browsing through so many channels. Yours is by far the best. The explaining thod is so great and detailed even complex stuff is
Idea 1: fully remove qr codes
Idea 2: have discord automatically block images with discord qr codes (because literally no one uses this to send to friends anyway)
QR codes I don’t believe are used ever to send to friends on Discord, it’s another way to login to your account. Or I’m misunderstanding you.
Recently, there was an announcement in the owner's Discord server stating that he never created it for malicious reasons, but for showing how vulnerable Discord's API is, he mentioned your previous video on this scam.
"Since a TH-camr (with about 80k subscribers) recently made a video about this to warn people, I'm afraid that on the contrary, it will make this project much more known and therefore more used in a malicious way which would be a disaster."
1 hour later he made the repository private.
Good job for making a video on the scam.
While it was public, I used it for testing reasons using my alt account, upon scanning the code it almost instantly sends the information to the logs channel and starts direct messaging the victims friends. The ad I designed for the test got a lot of attention, out of about 50 friends, about 25-30 joined the test server, which had no scam, just a channel to talk in, but obviously they later left. Since verification is really common in Discord servers, I understand how the scammers logged this many victims. The project has gone private, not been deleted, meaning the owner can still share it amongst anyone of his choice and continue to update it.
I personally don't scam myself, but rather use these tools for testing purposes on either myself or a friend (obviously with their permission). After using these tools grabbing tools for a while, I have seen how easy it is to setup, how to reverse engineer them, and also how well maintained they are, the most popular one known as "Hazard v2" gets updated every few days, the most well maintained one that is public, top of the repository list when you search "Discord Token Grabber".
oh i thought github took it down
I can't believe I actually fell for one of these 💀
Same💀💀💀 I just finished unblocking people and messaging them about that fact I got hack 😭
ya same i was dumb
@@Sad_Crys Same, unreal I fell for it. It was tricky though.
I changed my password, am i safe now?
@@MrGameSheep are you safe? Or did something happen in 1 month?
I just hope in another universe cheaters and scammer get punished so hard that they will never even think of doing anything bad online, EVER :)
Here is some information me and a group of people have found:
It's hosted mainly in Bangladesh and Romania.
It grabs your discord token, but your discord token gets reset when you change your password, discord has said it themselves.
A lot of misinformation is being spread about this to make people scared.
There is about a five-minute delay the bot takes between you scanning the code and you getting hacked.
It doesn't change your password nor unadd your friends as my friends account is completely fine except it sent it to everyone on their friend's list.
Hope this helps.
some of them do unadd your friends (blocks them). also you didn't watch the video seemingly; it doesn't matter if your token changes as they already have all your user data and possibly personal information. and there is no delay between scanning and you getting 'hacked', unless the bot maker added that in themselves.
I fell victim to this scam, what can i do?
@@ludaalt3147 change your password and check your blocked list, also look at the audit logs of any servers you have perms in
This happened to me a week ago, however it's incredibly easy to get everything back to normal, just don't log out of your account. With the qr code they can't get your password, and if you change your password on discord, it will log out every device your account is on. Then just go to settings and see all of your blocked users, then unblock them, it's that easy.
insanely scummy. probably think they're so smart for scamming people when they just ripped it from github.
@Sir Avian i wanted to comment that! 🤬
I code my own shit, to get pedophiles lmfao.
I just was going to scan qr code but I remembered that servers don't usually ask for human verification with qr code soo I search about this and got ur video
Thx❤️
In conclusion : don't trust any weird shit about people 'exposing you'.
unfortunately some communities are actually toxic like this and such messages are not out of the ordinary.
Thank you! I'm crying right now. A friend I don't know enough sent me this msg and I was so scared that something happened.
Lol like how he was like speedrunning it as a joke but also just showed everyone how to do it
Seems like the heart of the issue is the lack of innovation and having such a basic sad sack of a method for keeping track of people's accounts such as a token system
People who is using discord should Tell discord/report this scam discord server or the virus
@LeGeNDxXxJaaT discord can take down servers
I just subscribed because all you are saying is true. I love that you are talking about this. You are the only TH-camr who does that. Thanks.
This has been going around again, one of my friends was hacked. There was no long winded message about leaked pictures, it was just "Yo join this discord real quick". I have scan all messages enabled on my account, so the scary part is it doesn't look like it's being picked up by discord.
Same
Thank you so much for this !!! It just happened to me and was very skeptical. Need to have more risk for Scamming
Honestly, it was a pretty dumb idea in the first place to allow QR code login. First time I saw it as a login option I thought to myself: "Yeah, that's gonna end well."
True, discord should probably just remove it
@@bbernyy64 no its literally the easiest way to login simply removing it is the worse solution to any problem
@@hi-kt3qr
1. Grab ur phone
2. Open discord
3. Scan QR code
VS,
1. Press login (most browsers have password autofill)
2. Press ok 2 times
@@bbernyy64 its more like
1. grab your phone
2. open discord
3. scan qr code
4. click yes when discord asks if you want to login on that device
5. fall victim to their scam
Wow this video is amazing. Discord seriously needs to watch this entire video and fix it
I think the same.
⚠️ *1:* Discord should add some big warning while scanning or some big warning once you log in (only once) that tells you to watch out for scams and tells you some security tips
🔒 *2:* Most important way how to stop scammers is just to do something that will be scammers afraid of. Like that sue. Scammers will be afraid of jail. So they wouldn't do it because you cannot just create new life when you go into jail. So some huge action should be in place.
📜 *3:* People, share like me this video with discord staff under the "Suggestion" category in a ticket so Discord will take some ideas, etc. from this video. It will help and NTTS deserves it.
📌 *4:* Pin this comment, please.
There are 2 warnings while scanning a log in qr code. in red text there is written "Only scan QR code directly take from your browser. Never use a QR code sent to you by another user" and the blue button says "Yes, log me in".
5: Fail the last one
Discord needs to remove log in with QR code at this point. It isn't worth the convenience for logging in now
That github repository is the reason dangerous code should be protected from the public. There will always be a nefarious figure that will turn a good intentioned vulnerability point out into a fully fledged attack.
and that's how they end up patched
so true, I've had a minecraft mod I made turned into malware by someone who claimed he didn't code it himself and doesn't even know how to code
it should be shared publicly so people can chose to educate themselves on what is happening with these QR code scams or info security in general. It would be worse if it was not available, then only those who find or buy these methods public or not would use them. The same ones who use these techniques to their best gain.
not another propriety software supporter
@@hi-kt3qr this has nothing to do with proprietary software, he's only saying that *dangerous* code should not be public, he doesn't say anything about code in *general*
If I'm being honest, the whole "you sent a girl nudes so join this server or I'm blocking you" is so over the top and laughably hard to believe. Especially if its sent so many times with literally no change. You know, if I were them, I'd make it a hell of a lot more subtle, like "hey join this server rn"
You'd expect dms like that. But hey, I'm not them and I don't plan on ever being them.
These are probably hacked servers thats why they have a lot of members
Your actually the goat, This helped so much thank you.
anyone else fell for it? :(
bro it literally says not to scsn qr codes that arent yours 😑
No
I fell for this.And I've been paranoid since.
I got something similar, the one I got just said something like check general. Luckily I never clicked it but that’s a longer story on why.
Thanks for making people aware. I hope Discord can better protect and handle this in the future. It makes sense why it keeps happening especially if they get income from it but sadly I do not see Discord suing, it’s happening to users not them. Only way they might is if people start saying they won’t use Discord due to the risk/issue.
happened to get scammed and it sent links to my whole friends list, im truly terrified if anything of my personal info gets leaked. please dont trust these i have created a new account never scan suspicious links.
But do u think and personal info can get leaked just by your dc acc?
It happened to me aswell and now i have the same feeling
Fell victim to this scam a second ago! Just secured my account and fixed all the crap with it... Even after 5 months of this video being posted Discord hasn't done A SINGLE THING to stop the scammers in their tracks.
Hope you'll make more videos talking about discord scams, they are great !
Thanks for the video. Got a DM from guy I played Tarkov with in another server with a server link to join. Wanted me to scan a QR code to verify the red alert in my head went off. Quickly searched on TH-cam and looks like I was right.
I fell for this 2 days ago.....sent invites to everyone and some servers.
It stopped sending after I changed my password and I explained to my friends about falling for the QR Code scam.
Most servers already knew that I fell for it so it made it easier to explain that I resolved the issue by changing my password as it changes the token.
That was a really good video man,good explication
This happened to me 2 weeks ago. This honestly scared me because I don't remember doing anything that's remotely wrong. But thank God my QR scanner failed on me after learning the truth about it
The same github page was taken down... but you can still access it with wayback machine . _. what a great way to inform others this exists
subscribed, just found you and your really underrated, you deserve atleast 500k subs with this content
Instead if suing or anything, they should fix the damn token hacks. It's been a thing for years and both seems to be done
Ikr! One idea that they could use is making the tokens so that they are e2e encrypted. That way, only your computer, and discord's servers would know your token, making it impossible to get token logged. I really hope discord does something like this, because currently, account stealing is way too easy!
i remember the first time i got this i almost scanned the rq code, i entered the server and pressed a verify button, but inmmediately left it after i got warned on some stuff, luckily, that was some months ago and nothing happened to my account, i really got scared when i heard i was "exposed", plus it was fishy
thanks for the video! really appreciate what you did, and completely agree with those oppinoins.
Thanks for this video, with all of your statements, I agree with them all and it’ll definitely discourage people to scam other people on Discord. I decided to like the video and Subscribe to your channel. I appreciate your hard work, and I hope the future ahead of us, will be better and less worrisome with less or no scams at all which is what I hope for. 😁
6 months later and I just fell for this scam. Great to see discord is on top of things
0:02 yeah, I was one of the first people to recognize and report this scam, thank god I didn't click join because there was just something hella sketchy about it.
yooo he used my thumbnail idea, let's go bois
It's quite impressive that they got a simple QR code to token log people, I would love to see technical deep dives on these
it's not really. the discord developers gave everyone exactly what they needed to start qr phishing, with the qr code login feature. this scam has been around for years and nothing has been done, it's only getting attention now because of a particularly successful version of it.
Love your videos
A few days ago I fell for that scam, and yesterday, the hacker tried to join crypto scamming servers to bot people and send them a scam message. I instantly changed my password and two-factor authentication back-up codes so that mother trucker can't get in.
Stay safe people, there guys aren't fooling around, but so are we!