The Discord QR Code Scam

Written on July 0th, 2022 • 2 min read


It was a message from a friend of mine. Says I was creeping on a girl and wanted to check a channel called #drama. It didn’t match his linguistics so I wanted to check it out.


A bot was here called “Wick”. It’s a clone of a real security bot called Wick (notice that there is no checkmark next to “BOT”)

Clicking verify gives you a QR code intended to be scanned in the mobile app. This is a real feature by Discord that allows you to scan a QR code when signing in to bypass 2fa. I use this feature all of the time because I don’t always have time to wait for a text

This is easily exploited by scammers


People will most likely think this is a legit oAuth screen because it’s in Discord’s app. It was only intended for YOU to login to Discord’s app, not someone else.


A picture of the QR code that you are supposed to scan to “verify” to get into the server

This method bypasses 2fa so if you’re screwed either way.

Update 22/7/5

There are various package/repos that allow a scammer to do this with ease. One gave a convient little script that can be easily modified to easily be used in mass to grab tokens and load them

Aleski goes into more detail over on Drivet’s blog!

Also, if you’ve been hacked, you should go check out the nice people at Fight Against Scam

You can see the main site here.