Hackers Exploit Discord Invite Flaw to Deliver Malware via Hijacked Links
A new cyberattack campaign is weaponizing expired and deleted Discord invite links to redirect unsuspecting users to malicious servers that distribute remote access trojans (RATs) and info-stealing malware. Security firm Check Point reports that over 1,300 users across the US, UK, France, the Netherlands, and Germany have already been affected.
Discord’s Vanity Link Loophole Exposed
At the center of the attack is a flaw in Discord’s invitation system—specifically, how the platform handles custom (vanity) invite codes for Level 3 servers. When these servers lose their boost status, their custom invite codes become available again, allowing other users to reclaim and reuse them for malicious purposes.
Incredibly, the same flaw applies to expired temporary invites and deleted permanent links, which hackers can now “revive” and use for new servers, exploiting users’ trust in familiar links.
“Surprisingly, the mechanism for creating custom invite links lets you reuse expired temporary codes and, in some cases, deleted permanent ones,” said Check Point.
Additionally, Discord’s case-insensitive handling of vanity links allows attackers to register duplicate invite codes using lowercase variations of uppercase invites—even if the original is still valid.
Hijacking a temporary invite code (top) and reusing it in a vanity link (bottom)
Source: Check Point