• Last night (02.04.26), someone hijacked a Discord invite link for one of the most popular crypto wallets in the world – Trust Wallet. Currently, the link leads to a phishing server that could be distributing malware.
• The first report of this incident came from ZachXBT, a well-known crypto researcher who exposes fraudulent schemes in the cryptocurrency space. Five hours after ZachXBT’s report, Trust Wallet confirmed the information on their official Telegram channel here and removed the link that had been posted on their website.
• If you’re wondering how attackers could hijack the link, here’s a detailed explanation:
• Discord invite links have two alternative formats:
https://discord.gg/{invite_code}
https://discord.com/invite/{invite_code}
• The fact that multiple formats exist, and that one of them uses a “memetic” domain, is a potential security concern because it can confuse users.
• Additionally, Discord invite links come in three types, which differ significantly in properties:
Temporary invite links
Permanent invite links
Personalized (vanity) invite links
• Personalized (vanity) links are only available to Discord servers with Level 3 perks. To reach this level, a server must obtain 14 “boosts” – paid upgrades that members can purchase. Typically, Level 3 servers are popular communities with active audiences, such as streamer servers, gaming clans, public projects, or major crypto wallets.
• Personalized invite links allow admins to choose a custom invite code – in this case, “TrustWallet.” These links remain permanent as long as the server retains Level 3 perks. If a server loses Level 3, the vanity link becomes available for reuse by another server with the required level. You can probably see where this is going.
• When creating a personalized invite link, a server owner can manually enter any available code, including one that matches a previously expired or deleted link.
• This mechanism is exactly what attackers exploit: they monitor legitimate links that are about to expire and then register them as personalized links on their own Level 3 servers.
• The result of this hijacking: attackers can redirect users who click on links originally posted on legitimate platforms – social media, websites, blogs, forums, etc. – to their phishing Discord servers. In this case, the hijacked link was posted on the Trust Wallet website.
• Meanwhile, the legitimate owners of these resources may not even realize that the old invite links now point to fake Discord servers distributing malware. This means they cannot warn users or remove posts containing the malicious links. Stay vigilant.
