Discord-focused online tool makers claim they have access to billions of user messages and a trove of voice sessions, files, and user profiles. The allegedly leaked data was scraped from the platform.
-
Malicious actors are selling access to 1.8 billion Discord messages from 35 million users for likely harassment purposes.
-
The scraping service operates from Estonia but stores data in Russia, likely to avoid EU privacy laws.
-
Discord previously shut down similar service Spy.Pet in 2024 for violating platform terms of service.
-
The service allegedly includes voice sessions, user profiles, and data from 6,000 Discord servers.
Attackers posted an ad for the service on a popular data leak forum, used to exchange stolen user data. The post claims that the service allows users to sift through billions of Discord records, which could be used to harass the platform's users.
We’ve reached out to Discord for comment and will update this article once we receive a reply.
Meanwhile, the data-scraping service claims that, for a fee, it allows users to peer into:
- 1.8 billion Discord messages
- 35 million users
- 207 million voice sessions
- 6,000 Discord servers
The Cybernews research team claims that while attackers could conceivably have access to data scraped from public and possibly private Discord servers, it’s impossible to know without subscribing to the service controlled by cybercriminals. The attackers claim that they’re updating the indexed Discord messages live, pointing to data in the services’ servers being up to date.
How are Discord messages exploited?
Attackers can find multiple ways to exploit leaked user messages. Without the obvious privacy concerns, malicious actors often use Discord activity to harass individuals and minorities.
In 2024, a shady website called Spy.Pet surfaced, claiming it had scraped billions of public Discord messages from nearly 620 million users.
Spy.Pet didn’t stop at message logs. It bundled users' Steam accounts and other linked platforms, offering what it called an “enterprise option” to anyone looking to train AI models on its data. That includes, allegedly, federal agencies.
“This is a tool that makes researching people for the sake of harassment or online arguments easier. It could be useful for people with certain intentions, but the same can be done without the service – it would just take much more manual labour,”
researchers explained.
“The service’s premise is similar to Spy.Pet, another data-scraping service, which Discord shut down last year. The new one allegedly has more integration with breached databases and FiveM servers. The service is likely created to facilitate online harassment,” the team explained.
FiveM is a custom client for multiplayer of the vastly popular video game Grand Theft Auto V (GTA5). The client enables users to create modified servers, including new features, changing car models, maps, and other features. The Discord data scraping service claims to have scraped usernames as well as other records from these custom servers.
In early 2024, Discord banned Spy Pet-linked accounts from its platform, essentially cutting data-scraping bots off the platform's servers. At the time, Discord reportedly said that scraping its services violated the company’s regulations.
According to the Cybernews researchers, the recently advertised service attempts to capitalize on at least two streams: people who will pay to read others’ messages, and individuals who will pay to have their data omitted from the service.
For example, the service’s ToS stipulates that users can pay a one-time fee to have all of their data permanently deleted from the service’s servers. Another option suggests Discord users pay a larger fee for them to be excluded from the data-scraping process altogether.
Who’s behind the Discord data scraper?
The recently advertised service’s terms and conditions (ToC) page claims that it is operated in Estonia, an EU member state, which means it is subject to one of the strictest privacy laws in the world.
Interestingly, the ToS indicates that data likely scraped from Discord is stored on servers located in the Russian Federation. The service's creators likely believe that by storing data outside the EU, in a country with which the EU doesn't have an entirely friendly relationship, they can avoid legal repercussions.
However, as the Spy.Pet case highlighted, services like this violate several articles of the GDPR, including the “right to be forgotten” in Article 17.
“This is a tool that makes researching people for the sake of harassment or online arguments easier. It could be useful for people with certain intentions, but the same can be done without the service – it would just take much more manual labor,” the team explained.
Due to its large user base and tight-knit communities, Discord is often targeted by attackers. For example, earlier this year, one group claimed they managed to scrape over 348 million messages from nearly 1,000 public Discord servers.
What is data scraping?
Data scraping is a technique in which automated computer programs extract information from digital sources. Most often, automated bots are tasked with carrying the task, as it allows collecting vast amounts of data. Bots pretend to be web browsers to bypass scraper-blocking efforts.
Malicious actors often utilize the technique to collect personal information, which can later be used for identity theft, credential stuffing, or harassment. While the data scrapers gather is often public, having user details in one database enables them to automate targeted attacks. Scamming one user out of a million could be a net profit for the attacker.
Major social media platforms are often targeted as they have a large user base. Earlier this year, attackers claimed they had abused Facebook’s application programming interfaces (APIs) to scrape information on 1.2 billion of the Meta-owned platform’s users.
In 2024, malicious actors said they scraped the details of 500 million users from another Meta platform, Instagram.
FAQ
What is Discord scraping?
Discord scraping is essentially extracting data from Discord, much like scraping any other platform. In this case, automated bots crawl through public servers, channels, or user profiles and grab whatever they can.
Since scraping can negatively impact users, overload servers, and expose service providers to legal liability, platforms, such as Discord, deem the technique a violation of their Terms of Service. Users and bots that engage in scraping are tracked down and banned.
Did Discord suffer a data breach?
It’s highly unlikely that the data offered by scraping services comes from a data breach. This looks more like malicious actors trying to cash in on repackaged data. The information most likely comes from public servers, meaning it doesn’t require unauthorized access to obtain.
In short, these services’ creators took readily available information and are trying to convince users to pay if they want it excluded from their databases. Another revenue stream comes from individuals who may want to harass specific users by accessing their text or voice messages.
Is Discord safe to use in 2025?
Yes, Discord is safe to use. However, users should approach the platform responsibly. It’s recommended to enable two-factor authentication (2FA), and adjust privacy settings to match preferences. Users on any platform should also be cautious about sharing personal information and remain selective about which servers they join.
What is Discord?
Discord is a massively popular messaging and social platform. Users can communicate via voice calls, video calls, text, and other media. Conversations can be private or take place in closed virtual communities, better known as servers.
The service is often used by gamers for voice chat during gameplay. According to Discord, it has over 200 million active users, with more than 90% of them playing games. However, in recent years, the platform has also attracted non-gamers.
Your email address will not be published. Required fields are markedmarked