Discord, which launched in 2015, quickly became one of the most popular online services due to its focus on serving the communication needs of gamers. Discord experienced a surge during the global pandemic and extended its reach far beyond just the gaming community, now drawing more than 150 million active users each month. Key features that contribute to its popularity include servers — chat rooms akin to the Slack workspace tool — that foster casual conversations about gaming, music and everyday life. The platform also supports voice channels, file sharing, the integration of bots with diverse functionalities and fine-grained role and permissions management for those running communities. While many of its servers are open to the public, others are exclusive, invitation-only communities. Similar to other communication platforms that experience rapid growth, Discord faces challenges from miscreants who seek to abuse the platform. These challenges are not unlike those plaguing other cloud services, storage providers and communication platforms that see attackers try to use their trusted infrastructure for malicious ends. Discord has taken steps to address these areas. This report explores critical areas Intel 471 analysts have observed related to Discord, including the rise of young hacker communities, how attackers abuse Discord’s infrastructure for malware distribution and how attackers leverage the implicit trust users put in Discord links to target other users.
Rise of Young Hacker Communities
Over the past two years, several open source and social media reports highlighted high-profile incidents associated with the LAPSUS$ and Scattered Spider threat groups. Evidence suggests these groups likely originated from a growing number of online communities on platforms such as Discord, often referred to by users as “coms.” These communities predominantly consist of young users who engage in a variety of illegal activity, ranging from corporate hacking and subscriber identity module (SIM) swapping to cryptocurrency theft, as well as real-life acts of violence and swatting. The breadth of their actions are both vast and concerning. Beyond these significant crimes, an underlying culture of toxicity prevails, characterized by offensive language and threats, including sextortion and doxxing, which is the act of publicly revealing someone's private information with the intent of harassment. We identified at least a dozen such communities on Discord at the time of this report. Some servers lure users with hacking tutorials, while numerous participants openly discuss their malicious hacking activity in others. To be clear, Discord is just one of many places where so-called “coms” exist. Intel 471 analysts track many forums that are entirely dedicated to selling malware, stolen data, access to organizations and malicious hacking tools, as well as engage in doxxing and SIM hijacking. By comparison, the activity on Discord is proportionally much smaller, as those forums are nearly entirely dedicated to illegal activity.
Why has Discord emerged as an online congregation point for some people interested in malicious hacking? There’s always been links between the gaming and security communities. Many cybersecurity professionals admit their interest in security came from a younger interest in hacking and modifying video games. The advent of Discord and its popularity with the gaming community makes it a logical home for many with the same interests. There’s also always been an allure around hacking for adolescents. It’s a time marked by identity exploration, the quest for validation and boundary testing. Some young users might be drawn to hacking as a means to achieve quick admiration or notoriety. Discord's design, which allows for anonymity through the use of monikers or digital personas, further fuels this. The platform's setup can make users feel detached from their real-world identities, leading some to believe their online actions do not carry tangible consequences. In these online circles, newcomers might become interested in malicious hacking to fit in, while experienced members may do so to maintain their social status or to make money. The rise of influencers and the pursuit of viral content in today's culture also plays a role. In an age where online recognition is prized, some users might be swayed into thinking hacking can be their ticket to “digital fame.” For others who might feel like “outsiders” in real life, the online world offers a chance to wield influence and command respect.
How Malware Distributors Abuse Discord
One of the primary challenges in malware delivery is ensuring files, domains or systems are not taken down or blocked. Discord is known for its robust and reliable infrastructure, and it is widely trusted. Organizations often allowlist Discord, meaning that links and connections to it are not restricted. This makes its popularity among threat actors unsurprising given its reputation and widespread use. Threat actors particularly exploit two of Discord's features: its content delivery network (CDN) and webhooks.
Content Delivery Network
Platforms such as Discord and Slack gained popularity for their user-friendly file-sharing features, enabling users to transfer files by attaching them in channels. In the context of malware distribution, once a malicious file is uploaded to Discord's CDN, a direct link is generated by the platform. Attackers then can choose to disseminate these links through phishing emails, social media or other channels. When unsuspecting users click the links, they inadvertently download malware directly from Discord's CDN (see: Figure 3). This tactic was observed with several popular malware loaders, including Smokeloader, PrivateLoader and Amadey, which use Discord’s CDN to download next-stage payloads. These payloads often include stealers such as Cinoshi, Lumma, RedLine and RisePro.
This method of delivering malicious content provides attackers with significant advantages in evading defenses. Malicious files that are hosted on known bulletproof network autonomous systems (ASs) can be blocked outright by organizations, which makes it less likely that users will be able to navigate to those locations. If the Discord domain isn’t disallowed by security controls, it’s an effective way to deliver harmful content. This is also because it’s hard for network monitoring tools to inspect the content since communication with Discord’s CDN uses hypertext transfer protocol secure (HTTPS). Secondly, if the malware is embedded within a compressed archive, it adds a layer of obfuscation. Many security systems cannot inspect the contents of encrypted or compressed files in real time, therefore, this approach allows malware to slip past initial security screenings.
Discord has taken steps to address this. On Nov. 4, 2023, Discord announced it would switch to temporary file links for all users by the end of the year to block attackers from using its CDN to host and push malware. After this change, all links to files uploaded to Discord servers expire after 24 hours. This of course is by no means perfect, but it means that malicious links will not continue to live indefinitely. It strikes a balance between clamping down on abuse yet still allowing legitimate use of Discord’s file-sharing capabilities. Discord is far from the only service provider facing these challenges. In January 2023, cloud security vendor Netskope released its Cloud and Threat Report, which illustrated the vast challenge cloud service providers face combating malware-related abuse. Netskope’s report found that malware downloads originated from more than 400 cloud service providers during 2022, including Microsoft’s OneDrive, GitHub, Amazon Simple Storage Service (S3) and Google Drive.
Webhooks
Another feature of Discord increasingly exploited by malware developers is the platform's webhook functionality. Originally intended for sending automated messages from applications to Discord servers, this tool can be repurposed for malicious activity. Specifically, threat actors have adapted it to transmit stolen data from infected computers to Discord channels. Additionally, webhooks can facilitate command and control (C2) communication, enabling malware to receive commands directly from a Discord channel. In such scenarios, attackers leverage Discord’s infrastructure for command transmission and data reception, bypassing the need for their own servers. This approach presents multiple advantages for cybercriminals over traditional C2 panels. It includes the ability to bypass standard network monitoring and security defenses by mingling malicious traffic with legitimate Discord network activity, as well as access to Discord's reliable, globally distributed infrastructure, which is less prone to takedowns and available at no cost.
We observed a variety of stealers and remote access trojans (RATs) available online that enable cybercriminals to set up Discord webhooks for data exfiltration. One such example is Blitzed Grabber, an information stealer that emerged in January 2022 developed by the actor StvnedEagle in the C# programming language and .NET framework. Its primary feature is the use of Discord for data exfiltration. Another notable example is ItroublveTSC, a dual-purpose tool functioning as a Discord token grabber and browser password stealer, also developed using the .NET framework. This stealer employs Discord webhooks to extract victims' credentials (see: Figure 4). The actor 2kRevert aka revert, vert, Bigvert, vertbeamedyou was linked to the development of ItroublveTSC.
Navigating User Exploitation within Discord
As a leading chat and collaboration platform, Discord has gained immense popularity among online gamers. In the gaming world, it is common for players to purchase in-game items to enhance their characters' abilities, as well as have access to small perks and upgrades. A substantial segment of gamers, particularly teenagers without or with little income, naturally are drawn to modifications — also known as “mods” and “cheats” — as alternatives. These options allow players to acquire in-game advantages without spending money. Threat actors are aware of this tendency and will deploy deceptive tactics, such as offering game cheats and false game enhancements that claim to unlock paid content. These strategies are crafted to entice gamers into downloading and executing malicious payloads, particularly information stealers.
We observed multiple campaigns targeting Discord users that frequently employed lesser-known or newly emerging information stealers. For example, in August 2023, a threat actor contacted potential victims and asked if they wanted to “try a new game” usually hosted on the legitimate game-hosting provider. When the unsuspecting user downloaded and ran the game, the Epsilon stealer was installed on their system. The threat actor likely used compromised Discord accounts to disseminate the malware, effectively leveraging the platform’s trustworthiness to spread the payload.
Threat actors can use information stealers to steal valuable digital assets from gamers, including in-game currencies, rare items and high-achievement accounts. These virtual assets often are traded for real money or used by attackers themselves. Furthermore, personal and payment information of gamers used for in-game purchases may become a target for identity theft and fraudulent transactions. Beyond stealing user credentials and personal data, information stealers frequently target Discord access tokens, which allow full control by anyone who acquires them. Once in possession of these tokens, attackers can impersonate account owners and engage in a variety of malicious activity, such as uploading malware to Discord's CDN, performing social engineering to approach other users — as evidenced in the Epsilon stealer case — and generating webhooks for further exploits. We observed dozens of Discord token grabbers readily accessible in the public domain on the GitHub software development platform.
Assessment
This report is not intended to reflect poorly on Discord. Rather, it’s intended to show how Discord’s appeal to the gaming community and the gaming community’s relationships with youth hacker culture inadvertently have created a favorable environment for initial cybercriminal activity, such as targeting individuals for game perks. This represents just the early stages of potential cyber threat escalation. As threat actors refine their skills through these minor exploits, they may later progress to more sophisticated schemes and intrusions. In essence, Discord is one of many spaces online where threat actors can find each other, exchange information and hone their techniques. This offers opportunities for infosec professionals to collect cyber threat intelligence (CTI) by observing these communities and interacting with them. This adversary intelligence can then be used in security operations.
Discord’s robust infrastructure and general trustworthiness have inadvertently turned it into a favored platform for malware distribution — a problem shared by other service providers. The company's recent initiative to implement temporary file links represents a proactive step in disrupting a commonly used method by threat actors to distribute malware. Nonetheless, it is crucial to recognize that this measure is not a cure-all. Although the links will expire in 24 hours, there’s plenty of window of opportunity to trick people into downloading the content.
The following are recommendations organizations can take to limit their potential exposure to threats abusing Discord.
Recommendations
To protect against threats, especially those emerging from platforms such as Discord, it’s important for both organizations and individuals to stay informed about new dangers. Therefore, organizations are encouraged to:
Limit Discord use on company devices. If Discord is not officially approved for work, block or restrict it on all company devices to avoid potential cyber threats from the platform.
Watch for unauthorized network use. Use network monitoring tools to spot any unapproved use of Discord or similar platforms, allowing for swift action against policy breaches.
Implement strong authentication. For businesses using Discord legitimately, enforce robust authentication methods, such as multifactor authentication (MFA), to prevent unauthorized account access.
Educate employees about Discord-related risks. Conduct awareness programs to inform employees about the potential risks of using platforms such as Discord for non-work-related activity, especially on company devices.