Discord friend request scams have become one of the most effective social engineering attacks targeting gamers in 2026. Unlike phishing emails that are easy to ignore, these scams open with a friendly private message, spend up to 24 hours building genuine-feeling rapport, and only then deliver their payload — a malicious download link or financial pressure designed to steal from you.
One variant in particular has been spreading rapidly: a scam that uses Infinity Kingdom, a legitimate mobile MMO, as its vehicle. A stranger messages you on Discord, claims to have added you by mistake, then befriends you over the course of a day before suggesting you play the game together. The link they send isn't from the App Store. It installs malware.
This guide explains exactly how the Infinity Kingdom Discord scam operates, what the warning signs look like at each stage, and the specific steps to take if you've already downloaded something.
What Is the Infinity Kingdom Discord Friend Request Scam?
Infinity Kingdom is a legitimate mobile MMO developed by YOOZOO Games. Scammers have nothing to do with the game's developers — they simply use it as a vehicle. The game itself is real; the person inviting you to play it is not who they claim to be.
The scam has two main payoffs for the people running it:
- Malware installation — getting you to download a modified version of the app that contains a Remote Access Tool (RAT), giving them access to your device
- Financial pressure — getting you inside the game and socially engineering you into spending money through in-game purchases or fake external payment sites
Both can happen together.
Who Gets Targeted — and How Scammers Find You
Scammers don't pick targets at random. They browse member lists of large gaming servers on Discord — popular communities for titles like Valorant, Genshin Impact, Dark Souls, or Minecraft — looking for accounts that show signs of being active players. Profile pictures, custom status messages, visible game activity, and recent server participation all make an account look like a better target.
Anyone with a public Discord profile attached to multiple gaming servers is visible to this kind of sweep. Younger accounts with less server history are targeted more frequently, but experienced gamers are caught out too — the scam is designed specifically to bypass the instinct that would otherwise make you suspicious.
Beyond Discord itself, scammers also cross-reference usernames against leaked databases from past data breaches. If your Discord email has been exposed in a breach, it can be used to build a more convincing and personalised approach.
How the Discord Friend Request Scam Works Step by Step

What makes this scam unusually effective is patience. This is not a "click this link" hit-and-run. It's a deliberate 24-hour relationship-building operation.
Step 1 — The accidental add
The scammer sends a DM along the lines of: "Hey, are you [Name] from the [Game] team? Sorry, I think I added the wrong person." When you say you don't know them, they don't leave. They use it as an opening: "Oh well, since we're both gamers maybe we can chat anyway?"
Step 2 — Building the fake friendship
They then spend hours — sometimes a full day — talking to you. What are you cooking? What games do you like? They share photos of food or daily life. They have a consistent backstory: usually 23–28 years old, based in Hong Kong, Singapore, or Malaysia, often presenting as a young woman using an anime avatar or AI-generated photo.
Common account names documented in this scam: Sylvia, Janice, Sharon_xl, Philyy.45. New aliases appear regularly.
Step 3 — The invitation
Once enough rapport has been built, they suggest playing Infinity Kingdom together. Their alliance needs one more member. It'll only take five minutes to set up. They'll wait.
Step 4 — The dangerous link
Here's where it gets serious. Instead of pointing you to the Google Play Store or Apple App Store, they send you a direct download link — usually framed as a regional version, a special build, or a faster download. This link leads to a modified APK that looks and plays exactly like the real game, because it connects to the real servers. The difference is that it also contains a Remote Access Tool running silently in the background.
Step 5 — The financial pressure
Once you're in the game, the social pressure ramps up. Your new "friend" tells you the alliance needs you to buy a bundle to help in an upcoming battle. It starts small — under a pound or dollar — but quickly escalates into tens or hundreds. Sometimes they direct you to an external payment site, claiming the in-game store is having issues. That site is built to steal your card details.
Other Discord Scams That Use the Same Playbook
The Infinity Kingdom variant is one of several Discord scams that use the fake friend request as their opening move. The approach is the same — unsolicited DM, accidental add story, rapport building — but the payoff differs depending on the campaign:
Fake giveaway scams use celebrity names to add credibility. The MrBeast Discord scam is one of the most widespread examples: a message claims you've been selected for a prize, with a link that leads to a credential-harvesting page or malware download.
Crypto romance scams (sometimes called "pig butchering") follow a longer timeline — weeks rather than hours — before directing the target toward a fake investment platform designed to steal deposits.
Phishing via compromised accounts uses hijacked accounts from your existing friends list to send malicious links, which bypasses your natural scepticism because the message appears to come from someone you trust. A newer variant of this approach disguises the phishing link itself as a platform interface element — the Discord "See More" scam being the most widely circulated example.
In all cases, the pattern is the same: unsolicited contact, relationship building, then a link or request. Recognising the structure is more useful than memorising the specific game or celebrity name being used, since those change regularly.
The Red Flags at a Glance

If you receive an unsolicited DM on Discord, check for these:
The accidental contact opener. Real people who message the wrong person apologise and leave. Scammers use it as a conversation starter.
New account, no mutual friends. Most scam accounts were created recently and share no servers or friends with you beyond the one where they found you.
Consistent demographic profile. The 23–28 / Hong Kong or Singapore / female persona is a documented script. It's not a coincidence.
Avoidance of voice or video chat. They'll always have an excuse — bad microphone, noisy environment, shy. This is how they maintain a fake persona.
Rigid conversation steering. Ask them about a specific game mechanic or niche gaming topic. If they pivot back to Infinity Kingdom without really engaging, they're working from a script.
A download link that isn't the official app store. This is non-negotiable. If someone wants you to download an app from a link they personally sent rather than the App Store or Play Store, stop.
How to Report a Discord Gaming Scam
Reporting takes two minutes and genuinely helps — Discord acts on reports by removing accounts and bots running these campaigns.
Report the message in Discord: Right-click the scam message, select Report Message, then choose Scam or Fraud. If the account is still visible, you can also right-click their username and report the user directly.
Report to Discord's Trust & Safety team: For more serious cases — particularly if you believe a scam is operating at scale from a specific server — you can submit a report at discord.com/safety.
Warn the gaming community: Post about the specific account names and approach in the relevant gaming subreddits (r/InfinityKingdom, r/discordapp) or community Discord servers. Scammer accounts are cycled regularly, but warnings help others recognise the pattern before they're targeted.
Report to Action Fraud (UK): If you lost money or had your device compromised, file a report at actionfraud.police.uk. For US-based users, the equivalent is the FTC at reportfraud.ftc.gov.
What Happens If You Install the Malicious App

A Remote Access Tool running on your phone is genuinely serious. Once installed, it can:
- Read saved passwords stored on your device
- Access your photo gallery
- Intercept SMS messages — including two-factor authentication codes, meaning it can bypass 2FA on your other accounts
- Give the scammer direct control over your device in some versions
The app looks and functions identically to the real game. You'd have no obvious sign anything was wrong.
What to Do If You've Been Targeted by This Discord Scam
If you chatted but haven't downloaded anything:
Block and report the account in Discord. Right-click the message, select Report Message, and choose Scams or Fraud. Then go to User Settings → Privacy & Safety and turn off "Allow direct messages from server members" on servers you don't fully trust.
If you downloaded the app from their link:
Assume your device is compromised. The most reliable fix is a factory reset — this removes user-level malware including most RATs. Do not restore from a backup taken after you installed the app, as the malware may be in the backup.
- iPhone: Settings → General → Transfer or Reset iPhone → Erase All Content and Settings
- Android/Samsung: Settings → General Management → Reset → Factory Data Reset
After resetting, from a clean device, change your passwords — starting with email, banking, and Discord.
If you made payments through an external site:
Call your bank immediately to report the charges as fraudulent and request a new card. Gather any receipts or screenshots you have for the fraud report.
How to Reduce Your Exposure to Discord Scams
Beyond recognising scams in the moment, a few habits make you a harder target in the first place.
Lock down your DMs. Go to User Settings → Privacy & Safety and set "Allow direct messages from server members" to off for servers you don't fully trust. This alone removes the majority of cold-approach scam attempts.
Keep your real email address off gaming platforms. Your Discord account email, game forum registrations, and community sign-ups are all surfaces where your address can end up in databases that scammers eventually access — through breaches, data broker sales, or platform leaks. If your real email is tied to those accounts, it becomes part of the profile scammers use to target you more convincingly.
Using a disposable email address for gaming-related sign-ups means any breach or sale of that data is a dead end. VanishInbox generates a working inbox in seconds with no account required — use it for Discord server registrations, game newsletters, and any platform you're not completely certain about. Your real email stays off the lists. For how those data pipelines actually work, see what happens when a website sells your email address.
Enable 2FA on Discord. Go to User Settings → My Account → Enable Two-Factor Auth. Even if a scammer obtains your password through a breach, they can't log in without the second factor.
Be suspicious of any unsolicited DM that eventually involves a download. It doesn't matter how long the conversation ran or how genuine the person seemed. If someone you met in a Discord DM asks you to install something, the answer is no. For a broader look at recognising these approaches across platforms, see how to spot a phishing email and how to protect your personal information online.
A Simple Rule That Stops This Scam
If someone contacts you on Discord out of nowhere and, within 24 hours, suggests you download something — it's a scam.
It doesn't matter how friendly the conversation was. It doesn't matter how real they seemed. The friendliness is the technique, not the relationship. The entire preceding conversation was designed to get you to that download.
The rule: never download anything from a link sent by someone you met in a Discord DM, regardless of how much rapport has been built. If the game is real, it's on the official app stores. Anyone pushing a different download source is pushing malware.
Frequently Asked Questions
Can Discord scammers steal your password?
Yes, in several ways. The most direct is a phishing page — a fake Discord login site that captures your credentials when you enter them. Malware delivered through malicious APK downloads (like the one in this scam) can also extract saved passwords from your device, intercept SMS-based 2FA codes, and in some cases give the attacker direct access to your device via a Remote Access Tool. Enabling 2FA on Discord significantly limits the damage even if your password is compromised.
Is it safe to accept Discord DMs from strangers?
Receiving a DM itself is harmless — the risk comes from what you do with it. The safest approach is to have Discord set to restrict DMs from non-friends by default (User Settings → Privacy & Safety), so unsolicited messages from server members don't reach you. If you do receive a DM from someone you don't know, never click links or download anything they send, regardless of context or how long the conversation has run.
Is Infinity Kingdom itself a scam?
No. It's a legitimate game developed by YOOZOO Singapore. The scam uses the game's name and interface as cover — the developers have nothing to do with it. You can find the real game on the Google Play Store and Apple App Store.
Why does the scammer spend so long building rapport instead of just sending a link?
Because a sudden link from a stranger gets ignored. A link from someone you've spent a day chatting with, who feels like a genuine new friend, gets clicked. The 24-hour patience is the technique — it specifically bypasses the instinct that would otherwise make you suspicious.
Can I report the specific usernames like Sharon_xl or Philyy.45?
Yes — report them through Discord's in-app tool (right-click the message → Report Message). You can also post to r/InfinityKingdom on Reddit or relevant gaming communities to warn other players. Scammers cycle through usernames, so the goal is to get the account itself removed.
I installed the app but I'm not sure it was the malicious version. How do I tell?
You generally can't tell by looking at it — the malicious version functions like the real game. If you installed it from a link rather than the official app store, treat it as compromised and perform a factory reset. It's not worth the risk of leaving a potential RAT on your device.
Can a factory reset really fix this?
Yes, for the type of malware used in this scam. RATs installed via user-downloaded APKs operate at the user level and are wiped by a factory reset. The important caveat: don't restore from a backup created after you installed the suspicious app.
I feel embarrassed that I fell for this. Is that normal?
Very much so — and it's worth understanding why. This scam is designed by people who understand social psychology. The slow rapport-building specifically exploits the fact that humans are wired to reciprocate friendliness and feel obligation to people who've invested time in them. Being tricked by this doesn't reflect on your intelligence — it reflects on how deliberately the scam was constructed. Report it, fix it, and move on.
For a broader look at how phishing and social engineering work across platforms, see how to spot a phishing email. If you want to understand how your contact details end up in the databases scammers draw from, what happens when a website sells your email address explains the full picture.