Scammers have a long history of exploiting celebrities to harvest credentials and spread malware, and the latest prominent personality to be exploited in this way is YouTuber MrBeast.
In this latest campaign, cyber criminals are taking over and exploiting trusted Discord accounts, spreading what appears to be details of MrBeast’s new ‘cryptocurrency casino,’ complete with what appears to be photos of the YouTuber’s X account.
“I am pleased to announce the launch of my own cryptocurrency casino! To celebrate this big event, I am giving away $4,600 to everyone who registers, and you can withdraw the bonus immediately,” the alleged X announcement says, alongside details of where and how to sign up to receive the bonus.
Other screenshots appear to show the casino sign-up page, and what appears to be a successful transfer of funds from the casino to a personal crypto wallet. The actual Discord message itself simply says “Bro,” aside from the screenshots.
“Because these messages come from the accounts of friends or people they’ve known for years, potential victims are far more likely to trust them,” BitDefender said in a July 4 blog post.
“In many cases, the original account owner doesn't realise their profile has been compromised until contacts begin reporting suspicious messages.”
The scammers focus on figures such as MrBeast for several reasons. For one thing, they are popular with a certain demographic, in this case, children and teenagers. In addition, MrBeast is known for their self-promotion and outrageous competitions and giveaways.
In a recent visit to Australia, for instance, the YouTuber hosted a giveaway of ten cars to an audience of thousands of young fans.
As to the scale of the campaign, Discord bot-tracking platform RaidProtect recently reported that tens of thousands of accounts had been compromised in 2026 alone.
“The number of hacked accounts identified has doubled in a month, and the volume of deleted images now exceeds 2.3 million. The unique image catalog is growing too (+72%): this mainly signals that new visual clusters are appearing,” RaidProtect said in a June 1 blog post.
“A visual cluster is one same scam image plus all its micro-variants (re-crops, filters, retouches); when the unique count climbs this much, new visuals are being launched, not just spin-offs of the old ones.”
As to the aim of this current scam, it’s likely to compromise crypto-wallets; however, BitDefender said that is one of several possible goals.
“Finally, when someone falls victim, they simply repeat the cycle as they are asked to download software, connect a cryptocurrency wallet, scan a QR code, authorise a malicious Discord OAuth application or enter credentials on a phishing website,” BitDefender said.
“Once compromised, their accounts begin sending the same messages, allowing the campaign to expand quickly.”
BitDefender has the following advice for anyone whose account has been compromised as part of this scam campaign:
- Change your password immediately using a clean, malware-free device to prevent attackers from maintaining access to your account.
- Secure your email account, as attackers who control your email may be able to regain access even after your password is changed.
- Enable multi-factor authentication to strengthen account security, while recognising that some attacks can still bypass MFA through stolen session tokens.
- Review your authorised Discord applications and remove any that you do not recognise or no longer use.
- Scan your device for malware and notify your contacts not to click any suspicious links sent from your account while it was compromised.
Want to see more stories from trusted news sources?Make Cyber Daily a preferred news source on Google.
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.