A collection of client-side JavaScript exploits with a graphical interface
Created for educational purposes, security research, and "what if" experiments.
DISCLAIMER
Most features shown here violate Discord's Terms of Service.
Using them can and very likely will get your account permanently banned.
This repository exists for learning / security research purposes only.
I do not encourage anyone to actually use these scripts on live accounts.
Current status: Early development — expect bugs, incomplete features, and frequent updates.
Version: Free Edition — A paid version with more advanced modules may be released in the future.
- Python 3.7+
- Discord Desktop/Browser client
- Vencord (Discord client mod)
# Clone the repository
git clone https://github.com/baum1810/discord_exploiting_toolkit.git
cd discord_exploiting_toolkit
# Install Python dependencies
pip install -r requirements.txt
# Start the backend server
python main.pyThe backend will start running on http://localhost:5000 (or configured port).
- Install Vencord if you haven't already
- Open Discord and enable Vencord settings
- Enable React Developer Tools in Vencord settings
- Restart Discord
- Open Discord (Desktop app or browser at
discord.com) - Press
Ctrl + Shift + I(orCmd + Option + Ion Mac) to open Developer Tools - Navigate to the Console tab
- First-time users only: Type
allow pastingand press Enter to unlock paste ability - Copy the entire contents of
loader.js - Paste into the console and press Enter
- The toolkit GUI should appear on your screen
Note: Not all modules shown in the GUI are currently functional.
The table below lists working modules and their current status.
| Module | Description | Stability | Backend Required | Risk Level |
|---|---|---|---|---|
| Token Stealer | Extracts and sends your Discord token to backend | 5/5 | Yes (/token) |
Very High |
| Message Editor | Click-to-edit any message locally (visual only) | 4/5 | Yes (/edit, /edits) |
Low |
| Audit Log Spam | Mass-creates 69-use/42-second invites in loop | 3/5 | Yes (/token) |
High |
| False Deafen | Fake-deafen (shows deafened icon but others hear you) | 2/5 | No | Medium |
| False Mute | Fake-mute (shows muted icon but you can talk) | 2/5 | No | Medium |
| Group Call Locker | Rapidly adds user to group DM to lock voice call | 2/5 | Yes (/token) |
Very High |
| Disconnect All | Cycles voice regions to cause lag/packet loss | 4/5 | Optional (/token) |
Medium |
| Name Changer | Spams 50× emoji group DM name changes every 1s | 4/5 | Yes (/token) |
High |
| Bypass Char Limit | Auto-splits messages >2000 chars into chunks | 4/5 | No | Low |
| Read All | Marks all channels as read in bulk | 4/5 | Yes (/token) |
Low |
| Message Encryption | AES-256-CBC encryption for messages | 4/5 | Yes (/encrypt, /decrypt) |
Medium |
| Disable Typing | Blocks typing indicator requests | 4/5 | No | Low |
| Client Admin | Local-only ban/kick via CSS hiding | 4/5 | No | Low |
| Clear Chat | Floods channel with blank messages | 2/5 | Yes (/token) |
High |
| Auto Update | Auto-reloads when new version detected | 5/5 | Yes (/version) |
Low |
| Temporary Messages | Auto-deletes sent messages after delay | 4/5 | Yes (/token, /temporarymessages) |
Medium |
| Bypass File Limit | Auto-compresses images >10MB | 4/5 | No | Low |
| E2E Encryption | ECDH + AES-256-GCM with steganography | 3/5 | Yes (/token) |
Medium |
| Backup Friends | Exports all relationships to JSON | 5/5 | Yes (/token) |
Low |
| Backup Invites | Exports all server invites to JSON | 3/5 | Yes (/token) |
Medium |
| Backup DMs | Exports all DM message history to JSON | 2/5 | Yes (/token) |
Very High |
| Delete All Messages | Bulk-deletes messages in scope | 3/5 | Yes (/token) |
Very High |
| Backup Servers | Exports server data to JSON | 3/5 | Yes (/token) |
Medium |
| User Notes | Add markdown notes to users | 5/5 | Yes (/notes) |
Low |
| Message Logger | Shows deleted/edited messages inline | 4/5 | Yes (/message, /messages) |
Low |
| Client Badges | Adds fake badges (Staff, Partner, Bug Hunter, etc.) to your profile panels/popouts (client-side only, others don't see them) | 4/5 | No | Low |
- Low: Minimal ban risk
- Medium: Moderate ban risk if overused
- High: High ban risk
- Very High: Almost guaranteed ban if detected
- Modules are toggleable: Click a module button again to disable it
- Backend must be running: Most modules require the Python backend
- Rate limits: Many modules are intentionally rate-limited to reduce ban risk
- Persistence: Some modules (notes, temp messages) store data in the backend
- Encryption modules: Both users must have the module enabled with matching keys
GUI doesn't appear after pasting loader.js:
- Ensure Vencord is installed and React Developer Tools are enabled
- Check browser console for error messages
- Verify backend is running (
python main.py)
"allow pasting" doesn't work:
- You may be in a restricted browser mode
- Try using Discord Desktop app instead
Modules not working:
- Check that backend server is running
- Verify console for error messages
- Some modules may be broken after Discord updates
Getting rate limited:
- Many modules intentionally rate-limit to avoid bans
- Wait between bulk operations
- Don't spam destructive actions
Pull requests and issues are welcome! Please ensure:
- Code follows existing style conventions
- New modules include stability rating and risk assessment
- Backend endpoints are documented
- Educational/research purpose is maintained
This project is for educational and security research purposes only.
By using this toolkit, you acknowledge:
- You understand Discord's Terms of Service
- You accept full responsibility for any consequences
- The author is not liable for account bans or other damages
- This is not endorsed by or affiliated with Discord Inc.
- auto-completes quests - Quest automation reference
- Vencord team for the client mod platform
- Contributors and testers
MIT License - See LICENSE file for details
Use at your own risk. You have been warned.
