The lure: a DM from a friend whose account is already gone

The message arrives from someone in your friends list. Real username, real avatar, real mutual servers. The wording rotates:

"yo, check out this free Nitro gift, I got an extra one from a giveaway: [link]"

"hey I have an extra Steam game key from a bundle, want it? [link]"

The friend is real. The friend is not the one typing. Their account was taken over earlier in the chain, and the attacker is using their friends list to harvest the next batch. The Discord Nitro free scam works because the message looks like normal gamer behaviour - friends trade game keys, gift Nitro on birthdays, pass around codes. The attacker hides inside a weekly pattern.

The 4 trap variants in active rotation

1. The fake Discord login on a lookalike domain

The link lands on a pixel-clone of discord.com/login. The domain is one character off: dscord.com, disc0rd.com, discord-gift.com, discordnitro.gift, discord.com.claim-gift.app (real domain is what comes before the first single slash, here claim-gift.app). For the Steam-key variant: steamcornmunity.com (rn looks like an m), steam-giftcard.com.

You enter email and password. The fake page submits to the attacker, who logs into the real Discord in the background. If 2FA is on, a follow-up prompt relays the 6-digit code too. Within 5 to 15 seconds the attacker is in, changes the email and password, logs out your sessions, and starts blasting the same DM to your friends.

2. The QR-login hijack

This variant bypasses 2FA entirely. The fake page shows a QR code framed as "scan to claim your gift." The QR is the real Discord QR login challenge, mirrored from discord.com in real time. When you scan with your Discord mobile app thinking you are claiming a gift, you authorize the attacker's browser into your account. No password captured, no 2FA asked. Mobile shows a small "Log in to Discord" confirmation, but most users tap through expecting the next "verification" step.

3. The token-theft browser extension

The page shows "to receive your Nitro gift, install our verifier extension." The extension requests permission to read data on discord.com, which lets it lift the auth token from localStorage. Discord tokens are bearer credentials - the attacker logs in from anywhere, no password or 2FA needed.

4. The crypto variant on NFT and Web3 servers

On Discord servers for NFT projects, the lure mutates. The attacker compromises one moderator or uses server-raid kits documented by ScamSniffer and ZachXBT to mass-DM members from a forged "Moderator" colour. The message is "claim your surprise airdrop" with a link.

The link goes to a wallet-drainer page disguised as the project's mint portal. Connect Wallet, sign one transaction labelled "verify holder," and the signature is a Permit2 batch approval or setApprovalForAll on your NFTs. Inferno, Angel, and Pink Drainer (until Pink's shutdown in early 2026) ran this playbook continuously. Chainalysis attributed hundreds of millions in NFT theft to Discord-server takeovers in 2023-2024. ScamSniffer flags new raids near-weekly.

Why Discord users are gold-tier targets

A single Discord account is worth more to attackers than most users realize.

Game inventories. Steam libraries, CS2 skins, Dota 2 cosmetics, Rust skins, and Rocket League items have real secondary-market value, and the Discord-to-Steam link is one click in Connections.

Paid Nitro and boosts. A long-time Nitro account represents recurring revenue and boost slots that can be re-sold or used to make a scam server look established.

Crypto wallet links. Linked Roles ties wallets to Discord identity for token-gated servers. NFT holders frequently have Phantom or MetaMask connected through Collab.Land. A stolen Discord account is a roadmap to the target's wallets.

Cross-platform reach. Discord users typically link Twitter, GitHub, Reddit, Steam, and YouTube. One takeover often exposes password-reset paths for other accounts.

Project access. A single moderator compromise lets attackers mass-DM thousands of members from a trusted role - exactly how the largest 2024 NFT drainer raids started, per the Chainalysis 2024 Crypto Crime Report.

The 7 red flags you can verify in 60 seconds

  1. Unsolicited DM with a link. Real friends gift Nitro through Discord's official flow, which appears as a native message card. A raw URL in a DM offering Nitro or Steam keys is a scam regardless of who sent it.
  2. "Free Nitro," "free Steam game key," or "free skins." Discord and Valve do not run third-party giveaway portals. The official gift flow delivers inside the app the moment you click Accept - no login, no claim portal.
  3. Lookalike domain. Read the URL letter by letter. The real domain is what comes immediately before the first single slash after https://. Real Discord lives only on discord.com and discord.gg. Real Steam lives only on steamcommunity.com and store.steampowered.com.
  4. Login form after a DM click. The standard claim-a-gift flow never requires a fresh password entry. A page asking for it is almost always a credential-capture clone.
  5. QR code with no reason to scan. Discord QR login exists for signing into Discord on a new browser using your already-logged-in phone. A QR on any page that is not discord.com/login in a fresh tab YOU opened is the attacker mirroring the real QR challenge.
  6. Request to install a browser extension. No Discord feature requires one. Any page asking is harvesting your Discord token from localStorage.
  7. Urgency window. "Claim within 24 hours." "Only 10 gifts left." Discord gifts have no public-pool urgency. The countdown exists to stop you thinking.

The verification flow before you click

  1. Ping the friend through a different channel. Text or call. Ask "did you just DM me a Nitro gift?" If no, their Discord is compromised - tell them and report to Trust & Safety.
  2. Hover the link without clicking. Read the destination URL letter by letter. If the domain is not exactly discord.com, discord.gg, steamcommunity.com, or store.steampowered.com, it is fake.
  3. Real Discord gifts appear as message cards. An actual Nitro gift shows as a pink-bordered embed with Accept Gift inside the app. A bare URL with no card is not a real gift.

Recovery if you already entered your password

Most attackers change the email and password within 30 to 60 seconds.

  1. Within 60 seconds, change your password on a device still logged in (your phone). User Settings, My Account, Change Password. Discord forces all other sessions out on password change.
  2. Revoke all sessions. User Settings, Devices, log out every device except the one you are using.
  3. Enable 2FA via authenticator app, not SMS. Aegis, 2FAS, Google Authenticator, or Authy. SMS 2FA falls to SIM-swap. Save backup codes offline.
  4. Review Connections and Authorized Apps. Remove anything you do not recognize, especially new linked wallets or generic-sounding bots like "Discord Verifier" or "Server Booster Tool."
  5. Report the original DM via right-click, Report Message. Trust & Safety uses these reports to take down impersonators and lookalike domains.
  6. Warn your friends in shared servers to ignore any "free Nitro" or "Steam key" DMs from you in the last hour.

If crypto was drained from the NFT-server variant

Permit2 and setApprovalForAll signatures can execute minutes or days later. The window to revoke is the window the attacker has not yet used.

  1. Within 5 minutes. Open revoke.cash and revoke every token and NFT approval on every chain you use.
  2. Within 15 minutes. Generate a new wallet on a clean device. Move native tokens first (ETH, SOL, MATIC) - they are not subject to approval drainers. Move ERC-20s and NFTs last.
  3. Within 2 hours. File at FBI IC3 (ic3.gov) and Chainabuse.com. Include transaction hashes, the Discord server name, the impersonator's ID, and the recipient wallet. ZachXBT and ScamSniffer use Chainabuse as a primary feed.
  4. Within 24 hours. Notify affected platforms: Steam Support, OpenSea or Magic Eden, the crypto exchange if the attacker withdrew through one.
  5. Treat the wallet as burned. If you only signed approvals, a fresh wallet after revocation is enough. If you typed a seed phrase, every chain derived is compromised - rotate to a new seed on a hardware device.

Prevention that actually works

2FA via authenticator app, not SMS. SMS 2FA falls to SIM-swap.

Never click DM gift links. Real Nitro gifts arrive as native in-app embeds.

Scan QR codes ONLY from your own Discord settings panel. Any QR from any other path is hostile.

Use a hardware wallet for any wallet linked to Discord roles. Hardware wallets show the exact spender address on screen, letting you catch drainer signatures before approving.

How browser-layer defense catches the lure URL

The DM happens inside Discord. The fake login or drainer page is the first surface a browser scanner can see. SafeBrowz is a free Chrome, Firefox, and Edge extension that recognizes Discord and Steam lookalike domains, wallet-drainer pages, and seed-phrase forms by URL pattern and page content - before the login form or Connect Wallet button renders. 539+ brands, 100+ languages, full-screen warning. Free forever.

Install SafeBrowz free

Add the browser extension that runs every check in this article automatically, on every page, before it renders. Free forever.

Chrome Add to Chrome Firefox Add to Firefox Edge Add to Edge

Frequently asked questions

Does Discord ever give out free Nitro through external sites?

No. Real Nitro gifts arrive through the in-app gift flow as a native message card with an Accept Gift button. Discord runs occasional promotional drops with partners (Epic, Xbox, PlayStation), but those redemptions happen inside the partner's logged-in account, not on a third-party claim portal. Any external page asking you to sign into Discord to claim a Nitro gift is fake.

The DM came from a real friend. How is their account compromised?

They clicked an earlier link in the chain. The Discord Nitro free scam spreads like a worm - each successful hijack gives the attacker the victim's friends list. By the time the DM reaches you, your friend already lost control. The attacker operates the account with the real avatar and username, but it is not your friend typing. Verify through a different channel before clicking.

I scanned the QR code. What did I just authorize?

You authorized the attacker's browser to log into your Discord account, without needing your password or 2FA code. The attacker mirrored the real QR challenge from discord.com so your mobile app saw it as legitimate. Immediately go to User Settings, Devices, log out every session except your phone. Then change your password and rotate 2FA.

I installed a browser extension to "claim Nitro." Is my account gone?

Probably already exfiltrated. Discord auth tokens live in localStorage on discord.com, and any extension with permission to read that origin can lift the token in milliseconds. Remove the extension, change your Discord password (which invalidates active tokens), enable 2FA via authenticator app, revoke all sessions in User Settings Devices, and review Connections and Authorized Apps.

I connected my wallet to a "free token mint" from a Discord mod DM. What now?

Open revoke.cash within five minutes and revoke every token and NFT approval on every chain. Move remaining funds and NFTs to a fresh wallet. File transaction hashes at FBI IC3 (ic3.gov) and Chainabuse.com. If you only signed approvals, the wallet is salvageable after revocation. If you typed a seed phrase, every chain derived from that seed is compromised - rotate to a new seed on a hardware device.

Does Discord ban accounts that send these DMs?

Yes. Discord's Trust & Safety transparency reports list spam, fraud, and compromised-account activity as the largest moderation categories by action volume. Right-click the message, Report Message - that feeds Discord's anti-spam systems. Lookalike domains also get filed for registrar takedown. The faster a lookalike gets reported, the shorter its lifespan.

Related reading

Bottom line: The Discord Nitro free scam works because a DM from a real friend bypasses every instinctive defense. The attacker is the one typing. Real Nitro gifts arrive as in-app embeds, never external links. Turn on authenticator-app 2FA, never scan a QR code that arrived through a DM, never install a "verifier" extension, and treat every unsolicited gift link as hostile until confirmed through a separate channel.