Heya folks, JL here!

Sorry if you’ve noticed I’ve been AWOL in the comments and that there are GIFs missing for the recent advanced chapters. I recently got hacked through a phishing attack using social engineering, so I’ve been busy locking down important accounts, changing passwords, and wiping my C drive to do a fresh reinstall of Windows.

Honestly, it’s a bit embarrassing to admit that this happened to me… I’d always prided myself in having never been hacked or infected with any kind of malware in the over decade-and-a-half I’ve spent on the internet. …But I figured my misfortune could serve as a warning to others. So I’ll walk you guys through how I fell for the phishing attack and my thought process during the whole ordeal.

It happened in the middle of the night just as I’d gotten up to pee. I’d received a DM on Discord from a close friend asking for a favour real quick, five to ten minutes, telling me to hop on my PC. Not wanting to be a bad friend, I decided to hop on since it wouldn’t take much time.

After I hopped onto my PC, my friend told me that he and a few others were working on a video game pre-release and needed a hand testing the voice systems in the game. He linked me to a legitimate looking website and told me to download the installer, which came in an encrypted zip file. He also provided me with a password to de-encrypt the zip file to access the executable file inside.

That’s when the alarm bells in my head started sounding, rightfully so. So I immediately called him and tried to get him on voice to confirm it was him. He refused to pick up the call, telling me that he couldn’t because he was already testing out the voice systems in the game. Then he pressed me to download the game already and quickly join Lobby 3. Sensing my hesitation, he also told me that we were done if I suspected him.

I’ve known this friend for close to ten years now. He’d never say anything like that to me. But I was also still groggy from just waking up. Instead of getting more suspicious, a wave of guilt washed over me for doubting my friend. Still, I still pushed for confirmation that it really was him. I asked for personal details that only my friend would know. 

To my surprise, he did provide it, along with a bunch of other inconsequential but private information only my friend would know. I should have been more suspicious. But at this point I only wanted to get rid of the guilt I felt, so I quickly accepted the information as confirmation that it really was him. 

I unzipped the installer and ran the executable, confused as to why the installer wouldn’t let me proceed past the greyed language selection screen. I tried to troubleshoot the issue, closing and rerunning the installer multiple times. I’d also sent my friend a message about the issue. He replied with a confusing screenshot, telling me once again to join Lobby 3 and then not to join Lobby 2 because it was broken.

I was about to continue asking what was going on when I got a message from a mutual friend that my friend was hacked, that I shouldn’t trust anything his account sends or asks me to download. My heart dropped.

A few seconds later, I see myself booted off my Discord account in real time. Then I started receiving a bunch of unknown charges in my email from PayPal, Steam, G2A, etc., slowly racking up to about $500 before I locked everything down.

TL;DR, I got tricked by a hacker posing as my friend asking for help to test a game, downloaded and ran a suspicious executable, got locked out of my accounts and hit with $500 in fraudulent charges.

So yeah, I’ve been dealing with the fallout ever since. In hindsight, it was obvious the hacker would know my friend’s personal information if his personal information was compromised. I’ve since learned that this specific phishing campaign has been around for about a year or so. Search “Infostealer Campaign Discord” to find the article on Google.

I never thought I’d ever become a victim of a phishing scam. Most are obvious with clearly phony links. Clearly, I was wrong. Under the right circumstances and with a bit of social engineering, I am very malleable to phishing attacks.

I’ll treat it as a lesson learned and take solace in the fact that it could’ve been a lot worse. Even then, this whole ordeal has screwed with me mentally. I am obsessively monitoring my bank accounts for suspicious activity and getting paranoid about the security of my devices. That’s why I’m getting this story out here in the hopes that it will prevent others from falling for the same thing too.