A dangerous Discord scam impersonating YouTube creator MrBeast is hijacking accounts across Pakistan, with reports suggesting thousands of users have already been affected. While the exact number of compromised Pakistani accounts remains unconfirmed, the scale of reports circulating across local Discord communities points to a campaign far larger than isolated incidents. In one severe case, a hijacked account was used to delete an entire Discord server, wiping out all messages and media permanently, forcing the community to rebuild from scratch.
The scam typically arrives as a direct message from a friend’s already-compromised account, claiming the recipient has won thousands of dollars in free credits on a gambling or crypto platform. The messages include fabricated screenshots referencing MrBeast’s name and image, directing victims to fake crypto or casino websites that pressure them into paying bogus verification fees or VIP upgrade charges before they can supposedly claim their winnings. Victims pay and receive nothing in return.
What makes this campaign especially dangerous is that most victims never visit the scam websites at all. Info-stealer malware compromises their Discord accounts through an entirely separate route: it quietly runs on their own computers, often installed through cracked software, pirated applications, game cheats, or fake “verification” downloads.
Reddit is flooded with people complaining and sharing their experiences:
Comment
by
u/Educational_Play_217 from discussion
in
antivirus
Research from threat intelligence firm Flare found that gaming cheats and pirated software together account for 55% of all infostealer infections, meaning the malware frequently arrives disguised as something the victim deliberately sought out rather than a phishing link they clicked by mistake.
Once installed, the malware extracts saved browser passwords, autofill data, and most critically, authentication cookies, the small files that keep a user logged into a service without re-entering credentials. By stealing these cookies, attackers can resume an already-authenticated Discord session and impersonate the victim without ever needing their password. This is also why two-factor authentication offers little protection here.
Since the attacker hijacks a session that has already passed login and 2FA checks, rather than attempting a fresh login, they bypass the entire authentication process completely. DarkOwl researchers describe stolen session cookies as “the most dangerous component” of modern stealer logs for exactly this reason, noting that app tokens for platforms including Discord, Slack, and AWS are particularly high-value targets for attackers.
This single campaign sits inside a much larger global problem. According to SOCRadar’s Identity Threat Landscape Report 2026, stealer log datasets analyzed so far this year contain over 4.6 billion records affecting 809 million unique users worldwide, with the third quarter of 2025 alone producing 1.19 billion stolen records, the highest single quarter on record.
Separate industry data shows infostealers were responsible for stealing 1.8 billion credentials globally in 2025. SOCRadar’s research specifically flagged Pakistan, alongside Egypt and Vietnam, as sharing a risk profile that makes it an attractive target for threat actors exploiting infostealer malware, a finding that aligns directly with the scale of this MrBeast-themed campaign hitting Pakistani Discord users.
The operation is not the work of individual hackers but part of an industrialized cybercrime supply chain. Malware developers build and sell infostealer tools, frequently as subscription-based Malware-as-a-Service products priced as low as $100 per month, to criminal groups who then distribute the malware through cracked downloads and game mods.
Buyers, often with no technical skill required, then use automated bots to blast the fake MrBeast messages to the victim’s entire friends list, restarting the infection cycle. Once malware infects victims, attackers compile the stolen credentials and cookies into massive searchable files called stealer logs, which they sell on dark web marketplaces and Telegram channels for as little as a few dollars per victim.
Security researchers at also found that the window between an initial infostealer infection and the appearance of stolen credentials for sale on dark web markets can be as short as 48 hours, leaving victims almost no time to act before attackers monetize their access.
The campaign has also evolved well beyond Discord text messages. Research from cybersecurity firm Vanishinbox documented the same fake MrBeast giveaway spreading through YouTube ads using AI-generated deepfake video and audio of the creator, as well as short-form deepfake clips circulating on TikTok and Instagram Reels.
Researchers note the scam is more effective in 2026 than earlier versions specifically because AI-generated content now convincingly mimics MrBeast’s voice and likeness, and because it spreads through real, trusted friend accounts rather than obvious bot profiles, which automatically lowers victims’ guard.
To reduce the risk of infection, security researchers recommend avoiding saved passwords directly in web browsers in favor of a dedicated password manager, never downloading cracked software, pirated applications, or game cheats from untrusted sources, and using reputable security software capable of detecting malware and unauthorized browser activity.
If a Discord account begins sending spam messages or shows other signs of unauthorized activity, users should treat it as a confirmed compromise rather than a simple bug.
Here is what one user instructed all the Discord-hack affected on Reddit:
Comment
by
u/Educational_Play_217 from discussion
in
antivirus
