Malware is being distributed on Discord and other platforms by hackers who ask you to “try their game” by downloading an unsafe executable off the internet. This malware steals your Discord account, hacks your browser, steals payment information, and more. These hackers are using any file hosting sites they can, including itch.io, to attempt to distribute their viruses.
- If you receive a DM from someone you don’t fully trust asking you to download or test their game, DO NOT DOWNLOAD
- Even if it’s someone you DO know, if their behavior is strange then their account may have gotten hacked through this scam. Do not download any executables they try to send you
- On itch.io, it is safe to view the page, but do not download any untrusted software
- Games that run in your browser are sandboxed by your browser and pose no risk of infecting your computer
- If you see a zip file that is “password protected” DO NOT DOWNLOAD. Scammers encrypt their zip files with passwords so file hosts can’t run malware scans on the contents. Report this page
- On itch.io, you can report a page from the link located on the bottom of the page.
Here’s the most common example we’ve seen:
- Unsuspecting user has the Discord app installed on their Windows computer
- They receive a DM from someone they may or may not know (it may be someone that hasn’t spoken to you in a long time, or someone from a mutual server)
- The hacker asks you to test a game they’re working on and provide an itch.io or other link to download the software
- The software is a program that reads specific files on your computer to steal your Discord API token, your Browser’s cookies, any other sensitive data.
- They may also delete these files after stealing them, so you effectively get “logged out” from everything after the malware rune
- In the example of Discord: The stolen API token gives full access to your Discord account with no restriction on where or how it can be used
- The scammer uses this token to:
- Steal your account from you (change password, email)
- Use stored payment information to spend thousands of dollars on Discord Nitro/Server boosts
- They may message from your account to your friends list/servers with the same or similar message asking others to download the file
itch.io is a self publishing platform open to all, which means anyone can publish a page on our platform at any time.[1] Although we have many automated checks to block or suspend users if suspicious activity is detected (including human review in many cases), not all scans and systems are perfect. We’re releasing this notice along with a few other changes to our platform to educate and help prevent this kind of attack.
itch.io at its core is a public file hosting service. Treat any page you encounter with suspicion if you are unable to vet the creators in any way. If you are concerned about the security of your computer and don’t trust any malware scanners you have on your computer then we recommend you stick to HTML5 games, as they are sandboxed by default. We also provide a Sandboxed mode in our app, but it’s difficult to guarantee security for downloaded software. Your browser is likely the safest sandbox your computer already has.
Note: We will not reveal the specifics of how we handle malware uploads or other illegal activity as it’s very likely the scammers are reading this very thread.
Thanks
[1] Publishing can represent a broad range of states on our platform, from being indexed on our search and browse pages to just having a URL that can be shared. In this case we are referring to just creating a URL you can visit directly by link. In no instances have these pages been promoted by us on any part of our site like the homepage or browse pages
