Cybercriminals are doing big business in the gaming chat app Discord
Cybercriminals have set up shop on Discord, a popular chat application for gamers with more than 250 million active users. Hackers have modified many of the app's private groups to function like retail shops that sell illicit products, including stolen credit card numbers, cracked customer accounts for Delta Air Lines and Hilton Hotels, as well as malware that can be used to infect computer networks.
Discord, founded in 2012, does not have a home news feed like Facebook or Twitter. It is built around a network of private and semi-private groups, known as "servers," which are created by mostly anonymous users.
CBS News found more than three dozen groups that cybercriminals call "money servers" on Discord.
Hacked Hilton Honors accounts are often sold in rooms marked "#HH." Another popular commodity, cracked American Express accounts, are sold in rooms named "#4M3X" — computer-geek speak for "AMEX."
Dylan Rhodes, an independent musician from Philadelphia, noticed a series of small and unusual transactions on his American Express account earlier this year. "My commerce is primarily online and my AmEx is my business card. I was made aware that my account was hacked by a security researcher in my online community," he said. "The charges were for $1.00, but there was also a deduction of my AmEx points. This is not my first time having similar issues."
A security researcher noticed that Rhodes' data was being sold by hackers on Discord, and informed him that he was likely the victim of the "Info-Pull Method," a scam where cybercriminals target credit card accounts with weak passwords. Rather than use the stolen card, which would tip off credit card warning systems, cybercriminals use the loyalty points associated with the account to purchase account credits like gift cards, or items on sites like Amazon, Hulu and Delta.
The stolen credit card data often includes the cardholder's email address, password, phone number and home address. The security researcher who notified Rhodes found samples of credit card data posted by the hacker online and later provided CBS News with a portion of those samples.
The hackers often compile the breached accounts into large spreadsheets to resell it in bulk.
"AmEx has always been very helpful towards me," Rhodes said, "And I have every reason to believe they will resolve the issue. But I spent hours stressing about this."
A spokesperson for American Express told CBS News that, "we take the threat of cybercrime and the protection of our customers' personal data very seriously. We have industry-leading fraud protection technology and continuously monitor all accounts for fraudulent activity. American Express Card Members are not liable for any fraudulent charges on their credit cards."
Stolen cards, counterfeit cash and more for sale
"$45 for one card. Platinum, business," offered the hacker. "But all cards for $1k. How many u want?" A moment later the hacker uploaded a handful of screenshots and files to "ENIGMA," a Discord group buzzing with buyers and sellers trading stolen files. The documents were a sample of what the hacker claimed to be a massive database of stolen credit card accounts. "List is from last week," the hacker bragged. "Totally fresh."
With one of these accounts, a buyer could potentially make fraudulent purchases, export the account's loyalty points and establish other accounts in the victim's name.
On ENIGMA, like on many money servers, customers are sent an online address to make a payment in bitcoin — a hard-to-trace digital currency — to the address given.
In addition to selling stolen credit cards, the hacker who runs ENIGMA advertises a "doxing" service. The hacker charges $10 per victim and promises to publish the target's personal information — including the full name, Social Security number, home address and phone numbers — on a website called Pastebin.
Another illicit marketplace that appears to be thriving on Discord is Nightmare Market. Nightmare Market was a notorious shop on the dark web, a murky network of sites that can only be accessed through a special encrypted browser. It was taken down by federal agents in the spring of 2019 and now a new version has surfaced on Discord.
Among the most popular items for sale on Nightmare Market are loyalty points from American Express, Hilton and Delta accounts. In exchange for a few dollars paid in bitcoin, hackers provide compromised accounts that can be resold or drained of points to exchange for cash or other items like Amazon gift cards. The server administrator provides instructions for cashing out compromised accounts and how to hack accounts yourself.
"I have been doing these types of transfers for a long time back when Dream Market was here RIP," wrote the server administrator of Nightmare Market in a note pinned to the front of the group, lamenting the death of the dark web sites Dream Market and AlphaBay. "Now that I have been able to fund my Paypal back up I can now offer this service here to you!!"
A hacker in a server called "The Money House" offered to sell forged hundred dollar bills. "100 dollar bills $1000 for $400 (2006 version no blue stripe)," he wrote in a private chat with CBS News. "I can prepare sample, one twenty = $12 in order to cover shipping cost."
Through the course of a chat conversation, he explained that his primary business was servicing cybercriminal communities on the dark web and Discord. He claimed to have one employee, and said he kept a low profile and paid taxes to avoid being discovered. He only prints counterfeit money when the price of monero, a cryptocurrency known for being more anonymous than bitcoin, is high relative to the U.S. dollar. "I bought monero to buy ink at 100$ per coin but now it's 80$ per coin I can't afford it," he explained after uploading samples of forged bills.
When asked how Discord tackles cybercrime, a spokesperson said, "Discord has a zero-tolerance approach to illegal activity on our communications platform and we take immediate action, including content removal, banning users and shutting down servers when we become aware of it."
Account cracking tools for sale on Discord
Stolen accounts are often compromised by using a relatively new tool called OpenBullet, according to Ryan Jackson, the security researcher who discovered the hacking code being sold on Discord.
Released in May on Microsoft's GitHub code platform, OpenBullet was initially intended as a testing tool for security professionals. But it was quickly modified by hackers and proliferated rapidly because the code is relatively easy to configure and deploy.
Using OpenBullet to crack accounts, Jackson said, is "extremely illegal, but easy to do." OpenBullet automates a number of hacking tactics like credential stuffing and brute force attacks. Jackson said both of these techniques are common because they rely on weak and recycled passwords. "It still takes skill, but [OpenBullet] does the hard work," he said.
According to Jackson, a well-known hacker coded a configuration file that simplified the exploit process. "He sold his configuration file for only $10 on Discord, which allowed hackers to brute-force their way into accounts," Jackson explained. "The hacker only allowed Bitcoin payments for the config to ensure his personal safety."