Discord OSINT

Investigating Discord: A Primer

Guest blog by BOsintBlanc.

Discord for the uninitiated is a group chat service in the vein of Telegram, Whatsapp, or IRC (if you’re that old ;-P). Channels are set up as ‘servers’ usually based around a shared topic of interest. As of 2020 Discord had over 300 million registered users (source) and that number does not appear to be dwindling any time soon.

What does this mean for OSINT? It means there is a huge potential for investigation and discovery through the chat service. Though Discord servers are technically private there are many ways to discover invites to the server and once found there is quite a bit of information that can be gleaned. Like all social media services Discord has its idiosyncrasies and this blog will hopefully assist you in learning the basics and hopefully, in no time you’ll be a Discord whiz in your very own right!

At the start of server discovery, I always want to try to keep it simple. Utilize searches on your preferred search engine as your first step. Don’t underestimate the power of a basic search like “target + discord” or “site:discord.com + target”. For this blog, I am going to select a community likely to have a huge user base namely the popular shooter video game franchise: Call of Duty. A simple search of ‘call of duty discord’ nets us 33K results. You can also utilize sites like https://disboard.org/ or https://top.gg/ which may have cataloged an invite for you!

It’s important to note the format of discord invites which are always discord.gg/community name. For example, the CallOfDuty discord we found above is listed at ‘discord.gg/callofduty’. Using this knowledge you can also execute searches on search engines, social media, and within discord servers themselves to find servers for the invitations being shared out across messages.

Let’s try on Twitter with Call of Duty again. Executing the search “discord.gg/callofduty” finds us an account that mentioned the previously discovered discord on Sept 15, 2020.

However, we could also initiate a slightly different search if we weren’t so sure this was the exact discord we were searching for. Using the search (“discord.gg/” AND “call of duty”) gets us some vastly different results.

We can repeat this process on other social media to hopefully find a public-facing invite link. Now that we’ve scored our invite we need to spend some time digging into the server itself.

My initial checklist of things I want to do / look for in a server are:

  1. Ensure I am ‘Invisible’
  2. Complete steps necessary to gain full access to the server
  3. Find Owners
  4. Find Moderators (mod) and administrators (admin)
  5. Find Other discord servers linked by owners, mods, and admins
  6. Denote Group roles significant to the group
  7. Denote Discord usernames of investigative targets

Discord Investigation ABC’s (Always Be Checkin)

Ensure I am ‘Invisible’

Discord defaults to making you show online. Depending on the sensitivity of your investigation you may not wish to make it clear to other users on the server when you are present. Just like all social media investigations don’t do any discord investigation with your personal accounts. Always create a sock puppet to utilize for each investigation.

To check how you appear to other users – click your profile on the bottom left-hand side of the Discord menu and select ‘Invisible’. It’s important to note this does not hide you have joined the server and many servers make announcements by default when new users join.

Complete Steps Necessary for full access

Usually, your first step in joining a server will be to either ‘react’ (which means to place an emoji beneath a statement) or acknowledge the rules of the server. Sometimes servers will use bots to auto-assign roles based on you ‘reacting’ to a certain statement. For example, in our Call of Duty Server, we can ‘react’ to designate what we will get notifications for based on our region and the platform we are playing the game.

Find Owners/Moderators/Admins

Along the right-hand side pane of the discord server, you will find a list of the users. Some important things to note. As you can see in the screenshot from /CallofDuty a couple of categories show up. ‘Moderators’, ‘Reddit Moderators’, ‘Bots’, ‘Treyarch’ and ‘Raven’.

The behavior of what shows up here is defined by each server and their particular ‘roles’ which have been set. Roles control everything in a discord server, what notifications are received, what a profile can see and do.

We also see various symbols next to usernames. These are called ‘badges’ and denote different milestones or details about a profile. A great resource for understanding Discord badge symbology can be found here.

For example, in our screenshot, we see that the one user has a crown next to their name which indicates they are an owner of the server despite ‘Owner’ not being one of the defined roles that appear in our user list for this server.

Find Other Discords Linked By Owners/Mods/Admins

The best process here is to use the inline search functionality of Discord which is relatively robust. We can throw in a general search like “discord.gg/” into the search function and we get quite a few results.

You can also search for specific text posted by a specific user which is likely more meaningful for our case. Using the owner identified earlier and the same search we get far fewer results BUT the results are likely more meaningful because it means the owner of this server possibly has a connection to the server they are sharing.

Denote Group Roles Significant to the Group

In the case of our Call of Duty server some notable groups were defined for us ‘Treyarch’ is likely to be users who represent the game company. ‘Mods’ are administrators for the group. A good process is also to find users who comment frequently or seem well embedded in the group right click their user and hover over the ‘roles’. This may reveal some important groups within the server that are not immediately obvious.

Denote Users

It’s important to know that a user or admin of the group can set a ‘display name’ for a user which may differ from their actual defined Discord username. The Discord username is always a username+ # + 4 numbers. For example, my Discord username could be BosintBlanc#1234.

The surest way to see a user’s actual Discord name is to right-click their name in chat and select ‘profile’.

For example our server owner of the Callofduty discord. We get to see his actual username and users can optionally list other social accounts. The owner listed a Steam, Blizzard, Reddit, and Github. One of which has his first name and last initial.

Hopefully, this will help you to start diving into Discord investigations. There is a lot that can be discovered in these chat servers and the opportunities will only increase if Discord continues to grow in popularity!

Signing out for now. Happy OSINT’ing