Discord DM Phishing: A Fake Mint Link Cost 8.5 BTC
A 'moderator' DMed about an exclusive NFT mint. The link looked like the real project site. The wallet connection prompt asked for a seed phrase -and the user provided it. Within minutes, 8.5 BTC was in transit.
The Incident
The victim was an active member of a popular NFT project's Discord server. They received a direct message from an account with the same name, profile picture, and role badges as one of the project's moderators. The message announced an exclusive allowlist mint available only to active community members, with a link to claim their spot. The site looked identical to the real project's minting page. When the victim clicked 'Connect Wallet,' the page displayed a prompt asking them to 'verify wallet ownership' by entering their seed phrase. The victim entered their 24-word BIP-39 seed phrase. Within 3 minutes, 8.5 BTC was swept from their wallet.
Attack Vector: Impersonation and Cloned Sites
The attacker created a Discord account with an identical display name and profile picture to a real moderator. Discord allows duplicate display names -the only difference was the underlying username (with a single character changed), which is not visible in DMs without clicking into the profile. The linked website was a pixel-perfect clone of the real project's site, hosted on a domain that differed by one character (using a homoglyph attack -replacing a lowercase 'l' with a capital 'I'). The 'wallet connection' prompt was actually just a form field that sent the entered text to the attacker's server. No legitimate wallet connection ever asks for a seed phrase.
On-Chain Trail
The seed phrase gave the attacker access to every address derived from it. An automated sweeper script extracted 8.5 BTC from the primary Bitcoin address within 3 minutes of seed phrase entry. The BTC was immediately split across 12 intermediate addresses in a fan-out pattern, then consolidated into 2 addresses over the next hour, and finally sent to a Bitcoin mixer. The speed and pattern suggest the attacker used pre-built sweeper infrastructure that automatically generates transactions for all known derivation paths as soon as a seed phrase is entered. The attacker also swept smaller balances of ETH and ERC-20 tokens from Ethereum addresses derived from the same seed.
Outcome
Total loss: 8.5 BTC (approximately $340,000 at time of theft) plus approximately $12,000 in ETH and tokens -all unrecoverable. Bitcoin mixers, unlike Tornado Cash on Ethereum, face less regulatory enforcement and provide strong anonymity. Law enforcement was notified but the probability of recovery is near zero. The real project team posted warnings about the impersonation attack and enabled stricter DM settings on their Discord server, but dozens of other community members reported receiving similar DMs.
Prevention
The fundamental rule that would have prevented this: no legitimate service, wallet, project, or protocol will EVER ask you to enter your seed phrase into a website, app, form, or message. The seed phrase is entered only into your hardware wallet device during initial setup or recovery -never anywhere else. Disable DMs from server members in Discord settings (User Settings > Privacy & Safety > Allow Direct Messages from Server Members: OFF). Never click links in DMs, even from people you think you know -verify through a separate channel. Bookmark official project URLs and only access them through bookmarks. If a 'wallet connection' asks for anything other than address access via your browser extension, it's a scam.