Discord, voiceover IP and messaging app developed to meet the need for a secure gaming chat service, was publicly released in 2015 and quickly became popular among gamers. As of July 2019, there were over 250 million unique users of the software. This accounts for only a small fraction of total Internet users (3.9 billion), but it is an active and diverse population. Besides the obvious gaming chats, Discord is corrupted by a slew of other activities from credit and loyalty cards, drugs, hacker resources to harassment and doxxing services. Security professionals conducting Internet threat intelligence activities on TOR Dark Web sites might also consider that Discord poses similar dangers as a popular hidden network.
Discord is packaged as a browser, mobile, and desktop app and it looks fairly similar to other messaging services such as Slack. Chats are organized by server and channel. Anyone can create multiple servers on Discord, manage their visibility and access, and add voice or text-based channels. Once someone has created their account, they then have the option to join public and private servers. These are largely made up of private places for planning video game raids and campaigns. It is important to note that while we are going to focus on some of the worst of what Discord has to offer, the primary use and purpose of the service is innocent gaming. Like the rest of the Internet, it is not bad per se. Sadly, bad actors do tend to show up in places online that are anonymous and private, whether they are invited or not.
It’s Called Discord, So…
Discord has had a lot of problems in its short history.
Here are some highlights:
Hostile behavior on Discord: The chat service has had problems with hostility and harassment on their chat servers. Some communities have been taken over by a large number of users from other users, in an act called “raiding.” Chat servers devoted to chatting about video games like Minecraft might find themselves overrun with hostile conversations about race, religion, politics, and pornography. To better protect its users and its services since these events, Discord has implemented a trust and safety team that is on call around the clock to monitor the servers and respond to reports. This includes dealing with user harassment, servers that violate Discord’s terms of service, and to protect servers from “raiding” and spamming by malicious users or bots. While they do not directly monitor messages, the trust and safety team can determine malicious activity from service use patterns and take appropriate steps, including more detailed investigation to deal with the matter. The service plans to expand this team as they continue to gain new users.
Alt-Right Movement: Discord supports anonymity and privacy, which has made it quite popular for controversial discourse and in particular the alt-right movement. Following the violent events that occurred during the Unite the Right rally in Charlottesville, Virginia, on August 12, 2017, it was discovered that Discord was used to plan and organize the white nationalist rally. Discord responded by shutting down those servers, with executives condemning those movements, saying that those groups “are not welcome on Discord.” Since then, it has been reported that several neo-Nazi and alt-right servers have been shut down by Discord.
Controversy aside, many real illegal acts occur on Discord, which generates threats to organizations and people beyond those who make use of the service. Bad actors who use Discord as a market for selling illicit goods create considerable problems that could potentially generate risk for your organization. It is important to understand the types of threats coming from this chat service and what you can do to investigate those threats.
The Discord Marketplace
It’s important to note that sellers of illicit goods on Discord do so in contravention of Discord terms of service.
Illicit markets on Discord work much like “conventional” Dark Web markets on TOR. First, a buyer must locate a seller, join their network, and pay in bitcoin. Investigating illicit activity poses similar challenges. New servers may appear and disappear at any time, making an already challenging task of locating new data sources even more difficult. Looking across TOR, Discord, and other similar hidden Dark networks is a time-consuming task. Media Sonar software helps to solve that problem by consolidating Dark Web data sources in a single screen, making it easier to analyze threat intelligence from a growing number of Dark Web sites and servers.
Hacking Tools: Besides the purchase of credit cards and loyalty points, some powerful hacking tools have found their way to Discord, making it possible for buyers to compromise accounts directly. One prominent example is OpenBullet released on Microsoft’s GitHub code platform. Originally intended as a testing tool for security professionals, it was modified by hackers and spread quickly. It was easy to use, configure and deploy. According to Ryan Jackson, the security researcher who discovered the hacking code being sold on Discord, it can be used to automate a number of hacking tactics like credential stuffing and brute force attacks. OpenBullet does the “hard work” according to Jackson, and when he located it on Discord it was selling for a mere $10.
Drugs: Drugs are openly discussed and sold on Discord as well, much like on other Dark Web markets. The kinds of drugs vary from seller to seller. While the Discord drug marketplace is not as established or large as what is available on what is conventionally referred to the Dark Web, there is considerable opportunity for growth here as more and more law enforcement have their eyes on the most prominent markets. Several Dark Web markets have already shifted their operations to Discord, which means it could be just a matter of time before more follow suit.
Credit & Loyalty Cards: One of the most popular goods on Discord across multiple markets are credit and loyalty points. The Nightmare Market, shuttered by law enforcement in 2019 on TOR, has shifted to selling on Discord. Hackers with access to compromised accounts resell the data – this could be part of a larger breach, or obtained through phishing activities on a one-off-basis. Stolen credit card data, when sold on Discord or across other Dark Web sites, often include other identifying information such as name, email address, phone number, potentially their address, as well as the password for that account. These cards can be used to make purchases online and offline or might be used to purchase untraceable gift cards. Loyalty points, another very popular item on Discord, can be purchased for just a few dollars (paid in bitcoin) and these can be drained of points to exchange for cash, or for other items like tangible goods or gift cards.
Security industry calls for consolidated data sources
The security industry is calling for consolidated sources. We speak to security professionals who use a large number of data sources, and who are manually searching for threat data on the Internet. This is a slow and time-consuming task which, as a result of inefficiencies, often results in missed information and an inability to mitigate threats. Media Sonar aims to speed up that search by consolidating data sources on a single screen. We streamline a previously slow and manual process, adding intelligence and augmenting the data making it easier for security professionals to analyze and track. We include a wide range of data sources, including Dark Web markets and Discord servers. We make it possible for you to conduct an advanced search, find exactly what you are looking for across a number of sources, all within a single interface. No need to join networks and with no risk to your system or network.