Session Cookie Theft Scams on Discord
Malware distributed through Discord channels and DMs extracts stored session tokens from the victim's browser and Discord app, giving attackers persistent account access that bypasses two-factor authentication.
Part of: Session Cookie Theft Scams
Last reviewed: 1 June 2026
Session cookies and application tokens are the persistent credentials that keep you logged into websites and apps between visits. If a piece of malware can extract these tokens from your device, the attacker gains the same access as you have without needing your password or your two-factor code — and without triggering any login alerts.
Discord is a frequent delivery mechanism for this malware because the platform normalises file sharing — game mods, tools, cheats, and media files — making it easy to disguise an infostealer as legitimate content.
How this scam works on Discord
A file shared in a Discord channel or arriving via DM is presented as a game cheat, a modding tool, a software crack, or a creative asset. When executed, the file runs an infostealer payload in the background while optionally displaying a fake error message or dummy programme to avoid immediate suspicion.
The infostealer scans the system for browser cookies, Discord authentication tokens, saved passwords, and cryptocurrency wallet files. All harvested data is exfiltrated to the attacker via a Discord webhook or a remote server. The attacker then logs into the victim's Discord account using the extracted token, takes over the account, and uses it to spread the same malware to the victim's contacts and servers.
Some operations run entirely within Discord: a bot sends the initial DM with the malware file, the stolen token is received at a webhook in another Discord server, and the takeover is executed from yet another account — all within Discord's infrastructure.
Common red flags
- File shared in a Discord channel or DM from an account you do not know well, claiming to be a useful tool or cheat
- Executable file (.exe, .bat, .scr, .vbs) disguised as an image, archive, or document
- Programme that runs briefly, shows an error, and closes with no apparent effect
- Sudden unusual messages sent from your Discord account that you did not write
- Other accounts you use — browser-saved sites, crypto wallets — showing unexpected login attempts
- Friends reporting your Discord account is sending strange messages or files
How to protect yourself
- Never execute files downloaded from Discord, even from people you know — their accounts may already be compromised
- Enable two-factor authentication on your Discord account, though be aware it does not stop token-based takeover
- Use a reputable security suite that includes behaviour-based malware detection for infostealer activity
- Periodically log out all Discord sessions via Settings > Privacy & Safety > log out known devices
- Revoke all active Discord tokens by changing your account password — this invalidates existing tokens
- Store browser cookies conservatively: disable 'remember me' on high-value accounts or use dedicated browser profiles
How to report it
- Report the account that distributed the malware to Discord's trust and safety team at dis.gd/report
- Submit the malware file to a reputable threat-intelligence platform for analysis so others can be protected
- Report to your national cybercrime unit if financial loss or significant identity harm occurred
Frequently asked questions
Does changing my Discord password after a token theft stop the attacker?
Yes. Changing your password invalidates all existing active sessions and tokens for your Discord account. Do this as soon as you suspect compromise, then enable two-factor authentication and review all authorised applications in your account settings.