Discord OSINT Redux (with Spy.pet)
(Originally written on August 4th, 2024 here)
After completing some personal studies and thinking this over, I finally decided to write up everything I had with Discord OSINT. This will be more of a continuation of my previous article but with revised and newly added concepts. If you did not read my past article, you can find it here (Some of the screenshots have outdated UI):
For a quick recap, here is what a potential Discord OSINT campaign would look like:
1. You identify your person of interest (POI) or discover what community servers they are in based on their interests
This potential chicken or the egg situation comes into play if you only know the username then try to find the person in public servers **OR** you have already built out accounts that are in many public servers and discover the POI through them, then continue the investigation.
2. Review chat history
Using the search operators within the Discord search would be highly beneficial. You can quickly find any links, images, or messages based on keywords. Below are some examples of how powerful searching chat history can be:
3. Review linked accounts
Another effective strategy on finding personal information. In some cases, you can move from an online alias all the way to a full legal name.
4. Review Mutual Servers
This ties back to point 1, but this should based on what information you can gleam. You can make inferences / assumptions on the POI based on the what servers they are in. With this, chat history and other items should be used to confirm these.
5. Use the information gathered as leverage for further investigation outside of Discord once it is exhausted.
I would say, in Discords current state, information gathered is supplemental to other sources. The amount of effort an investment to perform effective OSINT is not worth the ROI. More on that later.
These are the big ticket items IMO. Here are some other things to consider based on some articles on what to look for:
- Search for Discord servers
- - Using built-in search function
- - Through other sites like DiscordBee and many others
- - Through Google dorks
- Identify users of importance (admins / moderators)
Then to better illustrate what I am talking about with mutual severs, I have another example. I am going to move away from training platforms as best I can. Consider the case study below:
There is a common theme here, more focus on web application security. Here is what notes we can make on the servers individually:
- Caido: A new web proxy that is rivalling Burp Suite and ZAP. Built in Rust
- PentesterLabs: Web application pentesting training platform. Has things relating to OWASP top 10 all the way to code review.
- JHaddix Discord: Home to JHaddix, a person big within bug bounty hunting. The server hosts The Bug Hunter’s Methodology Live Course
With this we can make these assumptions / inferences on our POI:
- Heavy focus on web application security
- Most likely an experienced professional
- - Based on being in Caido server, very niche tool that only experienced practitioner would hear of
- Potentially a bug bounty hunter based on JHaddix Discord
The key here is that we can make these assumptions based on how niche / specific the Discord servers are. It was somewhat hard to illustrate in my previous article due to it all being training platforms but it still applies.
There are a couple servers that very specific, for example Caido. This a very niche web security tool that is built in rust. Not a lot of people would know of this unless you are within the web application security space. This is where the reason why someone join comes into play. Their intentions, experience, etc. Most network pentesters I know hate web, so it further points to this POI being within the web application security sphere.
This does not have to be applied to cybersecurity itself. This can be further expanded to other communities and even locations. (Using the same picture in my last article)
BSides are probally not the best representation of finding POI’s based on location since people travel to them.
Some other servers that are good examples of being niche and specific that come to mind:
- BreakDev Red: This is a invite only server. What makes it better is that there are requirements to join the server (which makes it more specific / niche). In order to join, you have to be a working professional within the offensive security space.
- Caido: For the reasons described above. (I promise I’ll stop harping about Caido)
To just put an end with using mutual servers as an OSINT technique, look for servers that are specific, niche, and have requirements. Then, make inferences and assumptions based on the POI. Confirm this through chat logs and other sources.
The Big Question
Alright, if you know about the Discord server limit you might be asking:
What would this look like at scale?
That is a great question, and that is why it took me taking another year to post about this again.
If you want to have effective OSINT in Discord, you will need to scale it and automate with bots. HOWEVER, there are A LOT of problems that come with this. They are:
- Discord TOS
- - It is against the TOS to create bots through real accounts, AKA Self-bots / self-botting
- - We cannot use the actual Discord bots since when they join a server, their permissions have to be manually reviewed and added. Plus, trying to convince people to add your suspicious bot is a lot harder than just making a simple account and joining that way
- Infrastructure Setup
- - You need to build infrastructure and a fully functional tool (or basically a C2C) to pull this off
- Discord Servers
- - Do you actually know how many servers are there? Me neither. You would have to develop a plan of attack for joining what public servers before you have too many to handle. Plus, there might be useless noise that would not aid the OSINT campaign.
- There is math involved.
- The methods for OSINT are manually intensive.
- Finally, you have to be insane to pull this off.
With all this in mind, I tried to think of ways I would approach this (hypothetically of course) until what I envisioned came true.
Enter Spy.pet
It was exactly 4 days after I have talked publicly on Discord OSINT, Spy.pet was first publicized. Not only that, but it was publicly operational all the way back to the end of October 2023.
Since I had a feeling that it would be available for a short time, I decided to waste an undisclosed amount of money to see what capabilities Spy.pet had.
Protip: If you try to buy Solana multiple times within a 5 minute time window, your bank will be very upset with you
After having fun with stalking my friends, I mostly used it to target myself to see what would be there, to my surprise it worked better than expected.
- General overview of Discord server (such as HackTheBox) and stats on total members and uptime
- Can view HTB’s server bans as well
- Then you can go into further detail on a specific user on what servers they joined and got banned from
- Made great use of displaying servers that a POI (me) was in.
- Chat history was interesting, my message (red) I sent within HackTheBox was actually deleted within a minute since I posted it in the wrong channel. (One of the main features advertised for Spy.pet)
- The green chat history is blank but that was when I joined Cyber Info
- A really interesting feature was that Spy.pet was able to track if a user left a server
- Another thing that I found interesting was that it was able to show a POI’s nicknames for various servers AND show where the nickname was found.
- - For some context here, HackTheBox has a Discord bot that links your HTB profile to your Discord account to be able to add appropriate roles tied to your rank
For those that are wondering what a full profile would look like within Spy.pet without all the cropping, here is an example from the website below (with blurs added):
I also tried out the export function to see what it would be like, below are the the related screenshots:
- Got the CSV file from the download, matched the messages within Discord
- I even downloaded my own chat messages. You could specify if you either wanted a server’s chat history or a user’s chat history.
Once I got all the screenshots I wanted, I stopped and wanted to see how long it would take for the site to go down. I did not have to wait for long, Discord to shut this operation down and within a week the site was gone. The site owner was feeling the heat for the last couple of days, the services were being targeted as well as being DDoSed (though that was happening before it became public) and the bot accounts in use were also being deleted.
I was hoping to use Spy.pet against itself to try and identify the bot accounts but soon realized there wasn’t much time for Spy.pet and it would have been similar to finding a needle in a hay stack.
Lessons Learned
Looking at the aftermath of Spy.pet, there were a few things that stood out to me that should be consider if anyone that is crazy enough that wants to pull this off.
- HOW MANY TIMES DO PEOPLE HAVE TO LEARN ABOUT OPSEC? IF YOU WERE PLANNING DOING SOMETHING ILLEGAL, YOU WOULD THINK YOU WOULD PLAN SOMETHING OUT TO MAKE IT HARD FOR PEOPLE TRACK YOU. (This is in reference to how No Text to Speech’s community totally mapped out the internet footprint that the site owner, unknownsrc, through OSINT. Picture below)
2. Maybe not make it public? and or market it publicly?
- This site was not really discussed up until April. Spy.pet was operating for over 5 months before serious action was taken. If the site was not publicized it might have operated even longer
3. GDPR Violations
- Not only did Spy.pet violate Discord TOS, but since it was marketed as a Data Broker of chat logs for “federal agents” and “AI researchers” it was also in violation of GDPR (and it got really dangerous with the potential of minor’s chat messages being logged and stored)
4. Wayback Machine
- This may seem like someone was trying to find a quick buck through scraping chat logs and selling them to whoever was interested. But Spy.pet wasn’t made for that initially. The site owner actually made it to bully people from LGBTQ and political servers. The main function of Spy.pet was that it would be able to log messages even after they were deleted. Realizing it was a bad look and that they could make more money from it, they changed their About Spy.pet page. Pictured below is before and after:
My Approach (Hypothetically)
Before adding my two cents, lets look at what Spy.pet did well technically:
- Servers
- - It was able to track what servers people where, even when they left as well
- Infrastructure
- - The service seemed to work very well (until it wasn’t)
- Viewing Discord users
- - This was what I envisioned. Being able to view a user and see what servers they are apart of. Other features that were available were a bonus but something I would add in after seeing how Spy.pet did it in hindsight
As for things I wouldn’t do, the amount of tracking for emojis seems wasteful. I also WOULD NOT store recorded chat messages since this operation is already in a legal “gray” area anyways. I feel that is more of the responsibility of whoever is looking for the POI. Either manually looking through the messages or having a feature that you selectively use and get the messages any ways. There are plenty of GitHub tools like that.
With that, here are some extra things I would to do IF I was going to approach this.
First, the amount of Discord servers is immense totaling about 19 million. 90% of those servers have less than 15 people in them. But having regular accounts trying to join 10% of those (1.9 million servers) is a problem, about a 19,000 accounts problem. Reducing this by 50% to 950,000 will help but we would still need to have about 9,500 accounts to perform OSINT. Keep in mind these are free accounts. If we used Nitro and added the server limit to 200, it would be about 4,750 accounts but those would cost $47,500 monthly.
With covering the 950,000, will have to evaluate this approach. With some psychology knowledge such as Dunbar’s number, Discord servers should be targeted that have about 250–300+ people. I suggest this since if Discord admins and moderators are monitoring who is joining, they will probably notice our bot accounts joining if there are only 50 people within the server. But if there are more than they can remember (such as 150), it will be a lot harder for them to detect our bot accounts.
Then to have a more visual representation of the Discord servers that should be targeted, below is a *nicely* made bell curve to highlight what servers should be joined. Keep in mind the statistic that 90% of servers only have 15 people, so the population of Discord are skewed. The most popular Discord server is Midjourney with 16,000,000 members as of 2023 (now 20,000,000 as of April 2024).
The other big thing to consider is actually building the infrastructure / tool to perform OSINT. The main things that I would add would be a tagging system to categorize servers, a check system to check invite links that have been collected and see if our accounts have been removed, and a “query” system to query information and perform searches within Discord. There are other ideas for what I would add (hypothetically) but that will be provided within my slides below.
There are also social engineering considerations that I brought up in my last article. To keep it brief, you can potentially become friends with the identified mods and admins as well as purchase Server Boosts so that you do not get kicked out of the server. Boosting the server will grant extra perks for the server, however this will also cost $5 monthly.
Biases
Ok, there are couple things to keep in mind when considering all of this. There is probably a lot of confirmation biases and here is what it is:
- Cybersecurity: At its current state, OSINT works well against people that work within tech and use the internet a lot. I am not expecting an accountant be within a lot of financial Discord servers.
- Discord users: OSINT is not really effective against people that don’t use Discord, which ties in the type of Discord users below
- Discord user types:
- - Lurker: Only apart of a few servers, mostly inactive
- - Specialist: Only join servers that they are interested in, mainly for a specific purpose
- - Collector: Join any server that they are interested in
TLDR: Discord OSINT could only really apply to certain Discord users, which are users that actually use Discord fully.
Misc stuff
One thing I found during my research was message circumvention. Here are the two methods.
1. Search for the user to get the “real” username, no messages are found so type the username in a new message, click on the profile from the message, then look at the mutual servers.
2. Search for the user, click on the profile from the message found, then look at mutual servers.
As far as I know, this does not alert the user that you are messaging (unless you send a message).
Then for joining servers, only click on invite links through a browser. If you click on an invite link through Discord (through a authenticated session) you will sudo join. So if OPSEC is of concern then do it through a browser. This is also helpful if you trying to figure out how large the Discord server is before adding it to the OSINT campaign.
Conclusion
Before closing out, I need to bring up dis.cool. When performing research on Spy.pet, there was a similar service that came out during 2020 which was dis.cool. There was another unconfirmed tool in 2021, discord.illicit.services, but was never publicly released.
With this in mind, it is possible that these data brokers have existed since 2020. There are probably even more other Spy.pets in the wild that are not publicly known. If there are any public Discord servers you are apart of, it is safe to assume that your chat messages are being farmed. If you are someone that is worried about this potential and want to protect yourself here are some tips that I mentioned in my other article:
- Linked accounts: I would just avoid doing this unless you really want someone to get a leg up on you.
- Chat messages: Like the old saying goes, everything on the internet stays forever. Be wary of what you post, **especially** private information.
- Discord user level: Some settings that you can turn on that might help are disallowing direct messages from server members / message request from server members you may not know.
- Discord server level: Probably the most important aspect in protecting yourself from this. Enabling the highest verification level. This makes it so only Discord accounts with a verified phone number can join. Also disabling the members channel list could help for those doing manual OSINT.
With that, I hope that this post was at least interesting. I have to give a few shoutouts to 1) Brendan for letting me know that doing this at scale was incredibly difficult and not impossible before knowing about Spy.pet, 2) No Text To Speech for posting a very helpful video on the topic, and 3) Anthony Garced for posting information on dis.cool during my research.
For a video on Spy.pet, I highly recommend No Text to Speech’s video. I used this video for some of the screenshots within this article:
Below are my slides for my presentation on the topic as well as all of my sources for this, enjoy: