Discord Token Grabbers

A token grabber steals the session token Discord stores to keep you logged in. With that token, an attacker is you — they get into your account without your password, and because the token is what authenticates the session, changing your password or having 2FA on doesn’t stop them until you invalidate the token. That’s what makes token theft worse than ordinary phishing: it sidesteps the two protections people rely on.

Grabbers arrive a few ways: a malicious link (often dressed as free Nitro), a booby-trapped file or “game/mod” download, or a malicious npm/script package aimed at developers. Some are pure phishing (a fake login page); the more dangerous ones are browser- or client-side grabbers that lift the token with no credentials entered at all.

Once an account is grabbed, it becomes a spreader: it fires the same link or file to everyone the victim knows. This is the front end of account takeover — the grabber is how the account gets compromised, and the takeover is what happens next.

Red flags

• Off-brand URLs — anything that isn’t discord.com / discord.gg. .gift, .ru, look-alike domains, URL shorteners hiding the destination.
• Files and downloads — “run this to get the mod / cheat / free game.” A token grabber can be packaged in an executable or script.
• Urgency and free-stuff bait — the same pressure tactics as Nitro scams; that’s not a coincidence, they’re often the same operation.

What to do right now

Server side, if grabber links/files are spreading:

1. Delete the messages, timeout the senders. Every copy is a live trap.
2. Block the domains in AutoMod and warn your members in the affected channels: don’t click, don’t download, it steals your account.
3. Treat a regular suddenly posting these as compromised, not malicious — their account was likely grabbed (see account takeover).

If your account was grabbed:

1. Change your password — this is what invalidates the stolen token. It’s the step that actually locks the attacker out.
2. Enable 2FA, then revoke authorized apps and log out all sessions (User Settings → Authorized Apps / Devices).
3. Scan your machine if you ran a file — the grabber may still be resident.
4. Warn everyone the attacker messaged.

Where Gait fits — and the honest boundary

Gait does not scan links or files, and never reads message content (see our privacy approach). It cannot tell you a specific URL is a grabber — that’s a job for AutoMod link rules, link scanners, and member awareness, and you should use those.

What Gait sees is the aftermath at the account level: a grabbed account turns into a spreader, and spreading behaves like automation — sudden uniform output, inhuman send timing, the same pattern across multiple servers. Gait scores that behavioral shift, so a previously trusted account that’s been grabbed surfaces as moving toward likely_automated rather than staying a trusted member, with its Discord identity and the reasons attached. Because Gait aggregates across every server running Gait, a grabber campaign spreading through several communities is visible as one cross-server pattern. The detection complement to this page is account takeover.

Related pages

• /threats/account-takeover
• /threats/nitro-scam
• /privacy