Discord's attractiveness to bad actors.
N2K logoApr 21, 2023

Discord has become a field of activity for a wide range of bad actors in cyberspace (and that doesn't even count the Discord Papers).

Discord's attractiveness to bad actors.

Cyber criminals have begun conducting phishing attacks on Discord, capitalizing on users’ attempts to get around the service’s premium paywall. CyberArk reports that a group known as “Kurdistan 4455” has begun stealing stolen credit card numbers and personal information from would-be paywall evaders. The bad actors will then use the victim's credit card to buy discord nitro keys and sell them at a discounted price for profit. 

Cyber criminals steal credit cards and buy Nitro.

Discord is one of the internet’s most popular messaging platforms, with over 300 million subscribers. This has naturally led some to use the platform for criminal or otherwise discreditable purposes. CyberArk explains that much of this cyber crime focuses around obtaining keys for Discord’s premium service, Nitro. Naturally some cyber criminals began stealing users’ credit cards and laundering money by selling the aforementioned keys to Nitro. CyberArk notes “In an effort to keep Discord users and communities safe, we have attempted to contact Discord for several months and notified their support team on the different ways attackers misuse Discord’s features, and of the new hacking Group. As we did not get a definitive response from them, we hope that this blog post will help users to protect themselves and hopefully Discord will also apply applicative changes.”

No honor among thieves.

CyberArk has found that criminals like Kurdistan 4455 are developing Discord malware on GitHub. Vare malware is one example. “Vare is a malware written in Python and converted into an executable with pyInstaller. It is an info stealer that uses Discord both as a data exfiltration infrastructure and a target to steal from.” CyberArk has determined that this malware is actually meant to target other would-be cyber criminals. CyberArk names a GitHub developer “saintdaddy” as a person of interest since his account has many Discord malware related projects. His GitHub account includes a link to a discord server which was originally named Kurdistan 4455.