Game Account Takeover Scams on Discord
How attackers use Discord DMs, fake bot invitations, and phishing links disguised as game rewards to steal gaming account credentials and in-game assets.
Part of: Game Account Takeover Scams
Last reviewed: 1 June 2026
Discord is the primary communication hub for gaming communities, which makes it the natural hunting ground for attackers targeting valuable gaming accounts. Steam, Roblox, Minecraft, Fortnite, and other game accounts can hold hundreds or thousands of dollars in digital assets, and the informal trust environment of gaming Discord servers — where sharing links and interacting with bots is routine — creates openings that attackers exploit with purpose-built phishing tools.
This guide covers the specific attack patterns that play out on Discord: the fake bot invitations, the 'free Nitro' lures, the compromised friend accounts, and the server-hijacking chain — and the account security settings that protect your gaming accounts.
How this scam works on Discord
The most common Discord-based gaming account takeover starts with a DM from a 'friend' (often a compromised account) sharing a link to claim 'free Discord Nitro,' a game item, or exclusive beta access. The link leads to a convincing fake Discord or game login page. Entering credentials gives the attacker access to the account, which is then used to message the victim's entire friends list with the same link — propagating the attack.
A second vector is fake bots invited into gaming servers. A Discord server admin — sometimes compromised themselves — adds a bot that requests extensive permissions. The bot harvests authentication tokens from members who interact with it, particularly those who complete fake 'verification' steps.
Once a gaming account is captured (Steam, Epic, EA), the attacker either sells it on grey-market platforms, trades valuable in-game items out of it, or holds it for ransom. Steam accounts with rare CS:GO skins or TF2 items can be worth significant sums. Because in-game item trades are often irreversible and performed by the account holder (under attacker control), recovery from the game publisher's side is not guaranteed.
Common red flags
- A DM offering free Discord Nitro, game currency, or exclusive items via a link — even if it appears to come from a friend
- A bot invitation in a gaming server that requests permissions to read or manage messages, roles, or members
- A 'verification' step inside Discord that asks you to enter your Steam, Roblox, or other game login credentials
- Friend who messages you with an unusual link and doesn't respond normally when you ask about it
- Login notification from Steam, Epic, or another platform showing access from an unrecognised IP or country
- Game account balance or inventory that has changed without your action
How to protect yourself
- Enable two-factor authentication on Discord, Steam, and all other gaming accounts — use an authenticator app, not SMS
- Never enter gaming credentials on any site you reached via a Discord DM link — navigate directly to the official game or platform URL
- Review bot permissions carefully before accepting a bot invitation — legitimate community bots rarely need access to all channel content
- Check recent login activity in your Steam, Epic, and game platform account settings regularly
- If a friend DMs you a suspicious link, contact them through another channel before clicking
How to report it
- Report the suspicious account or message on Discord: right-click the user → Report
- Contact Steam Support at help.steampowered.com if your Steam account has been compromised
- File a report with your national fraud authority if financial loss occurred
- Report the phishing link to Google Safe Browsing at safebrowsing.google.com/safebrowsing/report_phish and to the Anti-Phishing Working Group at [email protected]
Frequently asked questions
Can Steam reverse trades made by an attacker who accessed my account?
Steam Support does investigate account takeover cases and can sometimes restore stolen items, though this is not guaranteed and depends on the specifics. Act quickly: change your password immediately, revoke all authorised devices, enable Steam Guard, and contact Steam Support with all available details about the compromise.
Why do attacks on gaming accounts start on Discord rather than directly on the game platform?
Discord's informal, community-oriented environment normalises link sharing and bot interactions in ways that gaming login screens do not. Attackers exploit the lower guard that players have in a chat context compared to a login page. The propagation mechanism — compromised accounts messaging their friends list — also allows the attack to spread quickly through social trust.