Picture the scene. It’s Christmas Day, and your child/loved one/other has just opened their present from you…a new games console. It’s a tale likely to be repeated many times across the globe over the next week. Gaming, especially a new console, brings joy to thousands of people every year. It also brings a wealth of new online friends in places worldwide that our usual friendship circles just wouldn’t reach. As more and more global gaming relationships are established, users turn to platforms like Discord to chat gaming, share memes, and more! In this blog, I’ll talk you through the potential dangers lurking within Discord to help you answer this question: Do I really need to be concerned about Discord this Christmas?


What is Discord?

If you’ve never ventured into the realms of Discord, you might be wondering what it is. Discord was a mystery to me not being a gamer myself, and I was quickly schooled by some (much younger) colleagues before embarking on my Discord research journey. 

Discord describes itself as “the easiest way to talk over voice, video, and text.” It’s a place to chat, call, share things, and generally hang out with friends, and the Discord community at large. Discord uses voice over Internet protocol (VOIP) to facilitate voice calls and is described as a “digital distribution platform.” 

If you’re playing by Discord’s rules, users must be at least 13 years old to register for an account. However, in reality, Discord does not verify a user’s age at the point of registration. Or ever, for that matter. So anyone, of any age, with an email address and a phone number can register for a Discord account. There are undoubtedly Discord users under the age of 13, and they would definitely benefit from reading up on how to manage their digital shadow.

Discord is marketed as a space for everyone to chill and chat no matter their interests. That’s excellent news for those of us who have niche interests and no one in the real world to talk to about them. However, like many other online platforms, providing for people with such diverse interests inevitably means that there will be some dark places in Discord that you probably don’t want your 12-year-old visiting. So let’s dive into those a little deeper now.

Pro tip: Don’t post a meme in the #general channel
Pro tip: Don’t post a meme in the #general channel 

What’s so bad about Discord?

As I’ve already mentioned, most users head to Discord for extracurricular gaming fun. And if that’s where it stops, then great. However, discussing gaming online can sometimes lead to discussing gaming cheats and modifications, and there are plenty of servers in Discord that cover these topics. In 2017, the UK National Crime Agency published a “Pathways into Cyber Crime” report that said, “offenders begin to participate in gaming cheat websites and ‘modding’ and progress to criminal hacking forums without considering the consequences.” The report also stated that money is not the primary motivation for many young cybercrime offenders. Simply completing a challenge or being the first to achieve it is enough motivation for many. 

The NCA’s research still stands today, but these experimental youths may not need to venture to cybercriminal forums to discuss and develop their hacking skills. Discord has these spaces too. On top of that, there are servers where you can buy details of compromised payment cards, exam papers before they are released, and even your own server to host; a) your gaming stuff, or b) illegal things. 

By far, the most prevalent type of criminal server that I identified during my research were those where you could buy online accounts for almost anything, including:

  • Food delivery services
  • TV streaming services
  • Music streaming services
  • Email accounts
  • Gaming accounts
  • Virtual private network accounts
Examples of Discord servers offering all account types – redacted for your safety

Whatever you’re after, Discord has it. These accounts’ low prices and high availability suggest they are in abundance. Add to that the fact that these are all major companies, many Discord users could be caught in a “what’s the real harm” conundrum. As with progression from gaming to hacking, young Discord users may not understand the full ramifications of buying one of these accounts. Simply thinking of it as an easy way to watch their favourite TV show for free. But, let’s not forget, it’s fraud. Plain and simple.

Once you’re a member of a server like this, Discord will allow you to share files with other users in that server – after all, it is a digital distribution platform, remember?! But what happens when someone sends your child a malicious file? There must be firewalls in place to stop that, surely? Nope, the kids can just hit “download anyway” and potentially unleash some nasty malware onto their (or your) device.

Discord pop-up before downloading a file
Discord pop-up before downloading a file

Malware isn’t the only thing to worry about when it comes to file sharing. Many servers have NSFW (not suitable for work) sections. I haven’t entered into these channels myself, but I imagine some unsavoury things are happening in them. And what would I need to do to see the “adult content” in these channels? Just tell Discord I’m over 18, of course. Where’s that age verification when you need it…

Discord pop-up before entering a NSFW channel

But wait, there’s more…

We’ve written before about cyber threats to the online gaming industry, and Discord is no different in that respect. Discord is a legitimate platform being exploited by criminals for illegitimate purposes. After a quick online search, I found a YouTube video that shows the viewer how to use a Discord server as a command-and-control (C2) server. I also found this GitHub entry explaining the same thing. Although this GitHub author says they just wanted to “mess around,” they also point out that with more time, they “would use this as an initial dropper then upgrade my shell via injection.” In the wrong hands, Discord users could see their servers being used to perpetuate cyber threat campaigns without their knowledge.

Cybercriminals are abusing the core features of Discord to spread different types of malware. Remember I said you can share files via Discord? Well, those files are stored in Discord Content Delivery Network (CDN). Researchers identified that cybercriminals are abusing the CDN “by creating channels with the sole purpose of delivering…malicious files”. In 2020, Discord had 300 million registered users. Distributing malware through a platform of this size is a sure-fire way of causing mass devastation. Threat actors use these malicious files to capture information about the users and their devices and to download and execute more malicious files. 

Tell us there’s some good news!

There is good news. Discord’s Trust and Safety team is aware of the presence of criminal servers and is acting to stop them. The team is sending out email warnings like the one below to encourage users to leave servers they have identified as allowing or facilitating harmful activities relating to cybercrime.

An email warning I received from the Discord team. Oops.
An email warning I received from the Discord team. Oops. 

These warnings indicate that individual users will face the consequences for being a member of a criminal server. Still, there’s nothing about what they are doing about the server itself. Presumably, its owners are also getting a strongly worded email asking them to take down the server before Discord T&S does. One can only hope.

Discord has also made its registration process more rigorous, requiring verification through email and phone in many cases. There’s also an arduous Captcha verification process to get through to prove you’re human and stop the proliferation of unwanted bots throughout the platform. Still no sign of age verification, though. 

Discord chat: You might have an account, but I can’t promise you’ll understand what’s happening.
Discord chat: You might have an account, but I can’t promise you’ll understand what’s happening.

If you’re interested in finding out more about how cybercriminals weaponize social media, why not take a seven day test drive of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here, or sign up for a demo.