Executive Summary

Scam Sniffer has disclosed a sophisticated and ongoing attack campaign where malicious actors have systematically hijacked expired Discord invite links belonging to prominent cryptocurrency projects such as Kiloex and Verisense Network. This exploitation has directly led to successful phishing attacks, resulting in confirmed asset losses for users. Critically, several compromised links continue to be accessible on platforms like CoinGecko and CoinMarketCap, exacerbating the risk to the broader crypto community.

The Event in Detail

Scam Sniffer's investigation revealed that Discord invite links for multiple crypto projects, including Kiloex and Verisense Network, have been maliciously hijacked. These compromised links are currently present on major data aggregators such as CoinGecko and CoinMarketCap, as well as in historical social media posts from projects like Kiloex. The modus operandi involves attackers registering expired custom Discord invite URLs, which were previously associated with legitimate projects. Users clicking these links are redirected to malicious sites impersonating services like Collab.Land, where they are prompted to sign phishing transactions, leading to the theft of their digital assets. This tactic was previously observed in the attack model against Verisense Network.

Financial Mechanics of the Attack

The financial impact stems directly from users being tricked into signing malicious transactions. Attackers utilize fake "Collab Land" bots and phishing signatures to gain unauthorized access to users' crypto wallets. Once a user approves a malicious signature, funds are typically stolen instantaneously and are irrecoverable. Scam Sniffer reported a significant increase in phishing scams in August, with 15,230 victims losing a combined $12.17 million. This represented a 72% increase in stolen funds and a 67% rise in victims compared to July's $7.09 million in losses and 9,143 victims. High-value wallets, or "whales," were disproportionately affected, with the top three single incidents draining $3.08 million, $1.54 million, and $1.00 million, accounting for 46% of August's total monthly losses. This highlights a strategic focus by attackers on targets with substantial holdings.

Market Implications and Business Strategy

This ongoing vulnerability has several market implications. Firstly, it erodes investor confidence in the security of Web3 ecosystems, particularly when widely trusted platforms like CoinGecko and CoinMarketCap inadvertently host compromised links. The incident underscores a critical security gap in link management and highlights how seemingly minor exploits, such as expired vanity URLs, can be leveraged for significant financial gain by malicious actors. The coordinated nature of these attacks, systematically targeting and occupying expired custom Discord invite links, suggests a deliberate strategy by attackers to exploit overlooked digital infrastructure weaknesses. This incident draws parallels to the CoinMarketCap client-side attack in June 2025, where a compromised frontend led to phishing via trusted channels, demonstrating that even established platforms can become vectors for malware. The continued operation of sophisticated draining services like Inferno Drainer, despite public announcements of their shutdown, further complicates the security landscape, as these services provide the technical infrastructure for such widespread phishing campaigns.

Broader Context and Preventative Measures

This incident occurs within a broader context of evolving crypto scams, which utilize fake applications, AI-generated impersonations, and social engineering on legitimate platforms. The persistence of such attacks necessitates enhanced security practices across the Web3 space. For projects, immediate auditing and updating of all Discord invite links, especially historical ones, are critical. For users, vigilance against unsolicited prompts to connect wallets, verification of URL authenticity, and cautious engagement with "Collab Land" bots are essential. Discord has acknowledged efforts by bad actors to exploit invite links and is taking steps to address them, including removing malicious links and taking action against infringing accounts and servers. However, the underlying flaw allowing reuse of expired vanity invite codes represents a systemic challenge that requires continuous technical intervention and user education to mitigate the risks of asset theft.