Your friend sent a weird link.
Is it safe?

Why it looks exactly like your real friend

Here's the part that messes with your head: the message really is coming from Alex's account. Not a fake account with a copied profile pic, not some random with a username one letter off. It's his actual Discord — his name, his avatar, the same DM thread you've had open for years. So your brain doesn't even flag it. Why would it? It's Alex.

What happened is somewhere up the chain, Alex clicked a link himself. Maybe a "free Nitro" offer, maybe an "is this you?" video from his friend whose account got taken first. He typed his Discord login on a page that looked exactly like the real thing, and that was it — the scammer grabbed his password and his login token, locked him out, and turned his account into a bot. Now that bot is firing the same message at every single person on his friends list. You're just one name in a list of two hundred.

That's the whole trick, and it's why it works so well on people who are usually careful. Scammers stopped trying to fake a friend. They hijack a real one and let your trust do the rest. The link doesn't come from a stranger, the wording sounds like a person you know, and it hits at 9:47 PM when you're half-asleep and not thinking like a detective. That combination is exactly why a DM from a hacked friend is one of the most common ways teens get phished — Discord even has a whole page on it at discord.com/safety.

The three lines hacked accounts always use

Once you've seen the script, you can't unsee it. A hijacked account almost never gets creative — it runs the same handful of lines because they work. If a message from a friend matches one of these and has a link attached, treat it as the account being hacked until you prove otherwise:

• "omg is this you?" / "is this a vid of u??" — the panic play. It makes you scared there's an embarrassing video of you out there, so you click before you think. There is no video. The link is the trap.
• "free Nitro" / "claiming my free Nitro, you can too" — the freebie play. Real Discord Nitro never shows up as a random link in a DM. The page just wants you to "log in to claim," which means hand over your password.
• "vote for me / my team, takes 2 sec" — the small-favor play. It feels harmless because it's "just a vote," and you want to help a friend. The voting page is a fake Discord login.

Different words, same machine underneath: get you to click, get you to type your login on a copycat page, take your account, repeat. The FTC tracks this exact kind of social-engineering scam — you can read more or report one at ic3.gov and fbi.gov/scams-and-safety.

How to check without clicking

You don't have to click to find out if it's real. You have to do the opposite — slow down for thirty seconds and check. Three moves:

• Read the URL, don't trust the words. Real Discord links live on discord.com or discord.gg. A link like discord-cdn.app or dlscord.com (that's a lowercase L pretending to be an i) is a knockoff domain built to look close enough that you don't look twice. If the address isn't exactly discord.com, it isn't Discord.
• Ask on a different app. Text Alex on iMessage or SMS — "yo did you actually send me a link rn?" If his Discord is hacked, the scammer controls Discord, but they don't control his phone number. A real friend answers somewhere else. A bot can't.
• Watch for the mass-DM tell. Did the same weird message land in your server's general chat, or did two other people just post "uh Alex got hacked don't click"? When one account sprays the identical line everywhere at once, that's not your friend having a normal night. That's a bot.

And whatever you do, never type your password or paste a 2FA code because a DM told you to. Real platforms never DM you asking for that. If a link makes you "log in to see the video," the login itself is the scam. ConnectSafely has more plain-English guidance on this at connectsafely.org.

What to do if you already clicked or logged in

First, breathe. If you only clicked the link and closed the page without typing anything, you're most likely fine — just don't go back, and don't enter anything if it loads again. The real damage happens when you actually log in. If you typed your Discord email and password on that page, move fast, in this order:

1. Change your password from a different device. Go to discord.com — type the address yourself, don't use the link from the DM — and reset your password. Use your phone if you logged in on your laptop, or the other way around.
2. Log out everywhere. In Discord, open Settings → Authorized Apps and Settings → Sessions, then log out of all sessions. That kicks the scammer's stolen login token out so the password change actually sticks.
3. Turn on 2FA — with an authenticator app, not SMS. Text-message codes can be intercepted; an authenticator app (like Google Authenticator or Authy) can't. This is the single thing that stops your account from getting taken again.
4. Revoke authorized apps. Still in Authorized Apps, remove anything you don't recognize. Hijackers sometimes connect a sketchy "app" so they can sneak back in even after you reset.
5. Warn your friends on a different app. Text them — don't DM them on Discord, because if your account is compromised that message looks like more bait. Tell them straight: "my Discord got hacked, do not click any link from me."

If you're fully locked out and the reset isn't working, open a ticket with Discord support and, if money or accounts got drained, you can report the scam to the FTC at reportfraud.ftc.gov. None of this is "snitching on yourself" — it's slamming the door before the scammer does more with what they took.

For parents reading this

Two guides go deeper than this page. The complete breakdown of how these scams spread on Discord and how to lock an account down: Discord Scams — A Parent's Guide for 2026. And the step-by-step if a link already got clicked: My Teen Clicked a Phishing Link — What To Do Right Now, including the 30-minute action plan, platform-by-platform recovery, and when to escalate to the FTC or FBI IC3.