Intel analyses how Discord is abused for cybercrime

The report delves into observations by Intel 471 analysts concerning hacker activities and communities on Discord.

Digital crime by an anonymous hacker

A report from Intel highlights the emergence of young hacker communities, originating from online spaces like Discord, engaging in a range of illicit activities, from corporate hacking to real-life violence. The platform’s design, offering anonymity through digital personas, attracts users during their identity exploration, making it a breeding ground for malicious hacking interests.

The researchers discuss how attackers abuse Discord’s infrastructure for malware distribution. Discord’s robust and trusted content delivery network (CDN) and webhooks make it an attractive platform for spreading malware. Malicious files hosted on Discord’s CDN can bypass initial security screenings, making it challenging for organisations to block them outright. 

The report sheds light on the exploitation of Discord’s webhook functionality by malware developers. Threat actors leverage webhooks for data exfiltration and command and control communication using Discord’s infrastructure, which is less prone to takedowns and freely available. Stealers and remote access trojans, like Blitzed Grabber and ItroublveTSC, use Discord webhooks for extracting sensitive information.

Threat actors target users with deceptive tactics, offering game cheats and false enhancements that claim to unlock paid content. Gamers downloading these payloads unknowingly install information stealers, jeopardising their digital assets and personal information. Discord access tokens, once stolen, enable attackers to impersonate account owners and engage in various malicious activities.

The report emphasises that it does not intend to reflect poorly on Discord but aims to highlight how its appeal to the gaming community inadvertently creates an environment for cybercriminal activity. Discord’s robust infrastructure unintentionally makes it a preferred platform for malware distribution, a challenge shared by other service providers. While Discord’s move to implement temporary file links is a proactive step, organisations are urged to stay informed, limit Discord use on company devices, monitor networks for unauthorised use, enforce strong authentication, and educate employees about potential risks associated with platforms like Discord for non-work-related activities on company devices.