Ratty Bot 2021 Direct

Once authorized, Ratty Bot used the OAuth2 token to exfiltrate the user’s Discord token via Discord’s internal API. With the token, the attacker could bypass passwords, 2FA, and email verification entirely. The bot then:

The bot operated on a distinct three-phase cycle, creating a signature pattern on the ticker tape known as the "Rat Tail."

Phase I: The Nesting (Liquidity Detection) Ratty Bot scanned order books for "sell walls"—large limit sell orders that artificially suppress the price of an asset. Instead of breaking the wall, the bot placed thousands of micro-buy orders fractions of a second apart, slowly filling its bags without triggering a price spike. ratty bot 2021

Phase II: The Scurry (Volatility Injection) Once a threshold position was met (usually 0.5% of the asset's circulating supply), the bot executed a "flash-crash spoof." It placed massive sell orders it had no intention of filling, creating artificial downward pressure. This panicked retail investors into selling, at which point Ratty Bot "scurried" to buy the dumped assets at a lower average price.

Phase III: The Gnaw (Skimming) The bot engaged in wash trading—simultaneously buying and selling the same asset—to generate fake volume and attract trend-following algorithms. During this chaos, it executed the "Gnaw," a method where it exploited latency differences between exchanges to sell high on Exchange A while simultaneously buying low on Exchange B. Once authorized, Ratty Bot used the OAuth2 token

Three factors made Ratty Bot uniquely dangerous in 2021:

A compromised or malicious user posted a link like:
https://discord.com/oauth2/authorize?client_id=ATTACKER_BOT_ID&scope=identify+guilds.join+... Three factors made Ratty Bot uniquely dangerous in

The link claimed to offer a free Discord Nitro subscription, a beta Minecraft plugin, or an auto-levelling bot for a gaming server.