Discord’s Dark (Web) Side

Discord Dark Web - SpyCloud Blog

A series of sting operations shuttered large darknet markets like Hansa and AlphaBay in 2017, leaving a community of disenfranchised darknet vendors and buyers in their wake. In those markets’ place, multiple generations of new markets have emerged, some eerily similar to their predecessors. Police takedowns and exit scams have removed some of the bigger players, and what our security researchers are observing now is a move to find alternative ways to do business. Discord is just the latest example of how criminals are regrouping.

Discord is a communication platform that has become a new refuge for the darknet community. Originally designed for gamers, Discord hosts text, image, video and audio chat communication (to the tune of 25 billion messages per month). It’s divided into servers which host their own channels and topics, and have their own rules. Many Discord servers dealing in hacking and cracking or dark web sales have “backup” servers that members can join in the case that their main server gets shut down. These backup servers are often nondescript and plain – and have invite links to the real active server which hosts active fraud transactions. The names of these Discord servers are most often not explicitly listed as “dark web” or “fraud” servers, but contain terms or phrases that are easily recognized by members of the fraud community.

The online clearnet cracking community has converged upon Discord as well. Many Discord servers require an invitation, which makes monitoring of the platform difficult. Although Discord’s Community Guidelines prohibit “content involving the hacking, cracking, or distribution of pirated software or stolen accounts,” many of these activities do take place on the platform.

The Displaced Darknet

In 2019, we wrote about the “third generation” of darknet markets, which included a suite of smaller and seemingly more innovative markets than their larger predecessors. Markets like Empire Market, an uncanny AlphaBay clone, are still online today. Other third-generation markets such as Nightmare Market, Berlusconi and Cryptonia went offline before December 2019. Nightmare allegedly fell victim to an exit scam, and was defaced to display a dox of a Belarussian man who may have served as the Market’s admin. Berlusconi, Samsara, and Cryptonia may have been taken down by law enforcement.

The 2017 darknet takedowns led vendors and customers alike to flock to open web communities such as Reddit to regroup, while the savviest of fraudsters often preferred to sell dumps directly to their most-trusted clients rather than to random customers of darknet marketplaces. As AlphaBay and Hansa were dismantled, rising criminals were able to take over in new venues, like the r/DarkNetMarkets subreddit (which was ultimately banned in violation of Reddit’s Content Policy, which forbids “direct dealing” of darknet staples such as firearms, drugs, prostitution, stolen goods, personal information and falsified documents). Other new subreddits discussing the dark web have taken its place, but members of these communities can no longer do business there. 

With the inception of the darknet Dread forum (“the Reddit of the darknet”), criminals could once again network and form new relationships with potential customers, allowing for the opportunity of more direct sales.

But as newer social media platforms such as Discord have become more popular, displaced darknet communities have found a new home.

Figure 1: A screenshot of darknet vendors advertising their business on a darknet-themed Discord server.

In the screenshot above, a member of a Discord server popular with the “fraud community” can be seen hawking fraudulent IRS coronavirus stimulus checks. Another vendor advertises fraudulent credit card information reportedly breached via SQL injection, as well as fraud methods for Amazon gift cards, CashAPP, StockX and McDonalds. Access to this Discord server requires an invite link.

The Discord Cracking Community

In our blog post Criminals are using these tools to “crack” your website, we went over the robust landscape of the online “cracking” community as well as some rudimentary credential stuffing tools used for account takeover. Therein, we described the online cracking scene, which largely exists on the clearnet. These communities are dedicated to the sale and trade of Sentry MBA and other credential stuffing tool config files, combo lists and proxy files (although sometimes config files are advertised as “proxyless”).

Screenshot of an advertisement for targeted combolists for popular services such as Hulu, PayPal, Spotify, Minecraft, and others. This screenshot was taken from a cracking Discord channel.

Figure 2: Screenshot of an advertisement for targeted combolists for popular services such as Hulu, PayPal, Spotify, Minecraft, and others. This screenshot was taken from a cracking Discord channel.

These sites vary by language used, technical capability of users, and legitimacy. Rather than acting as marketplaces, these forums allow members to manufacture, test, and post access to config files, combo lists, tutorials, and extra tools for free. This honor system has helped create self-sustaining micro-markets for the creation and trade of config files and combo lists. There are several Discord servers dedicated to the cracking community that appear similar to the content posted on popular cracking forums.
Configuration files posted to a cracking Discord server for services such as Hulu, Disney, and Netflix.

Figure 3: Configuration files posted to a cracking Discord server for services such as Hulu, Disney, and Netflix.

In addition to configuration files and combo lists, some members of these Discord servers share the account checker software itself. The screenshot below shows a member of a dedicated cracking Discord server sharing Hulu, NordVPN and Netflix account checkers.
Custom Account Checkers being shared on a cracking Discord Server.

Figure 4: Custom account checkers being shared on a cracking Discord Server.

What Can You Do?

Criminals are always looking for ways to regroup despite the aggressive law enforcement campaigns to disrupt them. Hidden services such as Dread represent clever criminal innovations accessible only via TOR, but other criminals, especially those looking to expand their clientele, have taken to the clearnet – and Discord is no exception. Discord offers some degree of protection because servers may choose to require access to an invite to join. And, because some criminals operating on Discord have created clean “backup” servers for when their servers dealing in crime are eventually shut down, getting rid of them isn’t as easy as clicking the “report” button.

Discord explicitly prohibits these activities on its platform. If you happen to come across one of these communities, try to see if a backup link is available anywhere, and include that in your complaint. Companies whose goods or services are being fraudulently traded or sold on Discord can report the activity. You can also report these activities to law enforcement.

The use of Discord, Reddit and other popular messaging and social media platforms represents another criminal countermeasure to surveillance and policing on the internet. Even if these communities are eliminated, they will likely soon appear elsewhere in a different form, as they have several times before.

Stop exposures from becoming account breaches.