Dark Web Discord: The Recruitment Pipeline Problem

Discord is not the dark web. It’s a mainstream voice and text platform built for gaming communities, with hundreds of millions of users who have never encountered anything resembling cybercrime on it. That’s exactly why treating it as just another leak channel, the same argument this blog made about Telegram, undersells what’s actually distinctive about it: Discord is where the FBI says a documented, loosely organized network of mostly young, English-speaking cybercriminals recruits and trains its members, before some of them go on to breach real companies.

That network has a name researchers and law enforcement use: the Com, short for the Community. This isn’t a fringe theory. It’s covered by the FBI, SANS Institute, and mainstream outlets including Fortune and CyberScoop, and it’s directly upstream of threat actors this blog has already covered, Scattered Spider chief among them.

What “the Com” actually is

The Com is not a single hacking group with leadership and a org chart. It’s better described as a cybercrime youth movement: a loosely affiliated, constantly shifting network of mostly teenage and twentysomething English-speaking participants, organized around shared platforms rather than shared membership. The FBI estimated its size at roughly 1,000 individuals as of a May 2024 warning delivered at the Sleuthcon cybercrime conference, according to SANS Institute’s coverage. Motivation runs on more than money: CyberScoop’s reporting on the network describes internet notoriety itself as a driving force for many participants, which is part of why members have historically bragged about intrusions in public or semi-public channels rather than staying quiet the way a purely profit-driven group would.

Several names security teams already track trace back to this same network. Scattered Spider is the most prominent, and this blog has covered its members directly, but LAPSUS$ and elements of ShinyHunters share the same origin. Different vendors have historically used different names for overlapping activity, Mandiant’s UNC3944, Microsoft’s Octo Tempest, and CrowdStrike’s Scattered Spider often describe the same or overlapping clusters, a naming confusion researchers themselves acknowledge, which is itself a sign of how hard this network is to pin down with traditional threat-actor profiling. What’s consistent across naming conventions is the corporate breach list: HubSpot, Twilio, DoorDash, Okta, Cloudflare, and Activision in 2022; MailChimp, Riot Games, Reddit, Coinbase, Clorox, MGM, and Caesars in 2023, as documented by SANS and corroborated on Wikipedia’s sourced entry. This blog’s own coverage of the 2025 Scattered Spider-linked retail wave, and the recent Lidl third-party incident sitting in the same broader pattern, both connect back to this same origin point.

One scope note, stated directly rather than glossed over: the Com, as documented by the FBI and researchers, includes factions linked to serious harm against minors, separate from the financially-motivated hacking activity this piece focuses on. That’s real and well-covered by mainstream press. It’s also not this blog’s subject matter, and this piece doesn’t detail how that activity works, only that its existence is part of why law enforcement treats this network with the urgency it does. What follows is scoped to the corporate-breach-relevant faction.

Why recruitment happens on Discord specifically

Running a ransomware operation or a SIM-swapping crew takes labor: people who can cold-call a corporate help desk convincingly, people willing to test stolen credentials, people who understand a target company’s internal terminology well enough to pass a verification check. The Com recruits that labor the same way any community recruits members: by meeting people where they already are.

That’s usually a gaming space. CrowdStrike’s Adam Meyers described the pattern to Fortune as starting with escalating pranks in games like Minecraft, stealing items or destroying other players’ builds, then progressing to account takeovers, then to targeting cryptocurrency holders. From there, recruitment moves into Discord servers, where it looks less like grooming and more like a job posting: a December 2025 Telegram recruitment ad reviewed by Fortune offered $300 per “successful call,” explicitly welcomed inexperienced applicants, and specified availability hours, structured almost exactly like a legitimate gig-work listing. Discord and Telegram both show up as the actual coordination venues once someone responds.

This is the part that should change how a security team thinks about Discord monitoring. Scanning for your company’s name or leaked credentials treats Discord like a smaller Telegram. But the recruitment conversations that eventually produce the person who calls your help desk pretending to be an employee happen before there’s any company-specific signal to search for at all. By the time a Discord mention involves your organization by name, the recruitment and training phase is already finished.

The vishing connection

Scattered Spider’s most consistent technique, impersonating an employee to a help desk to trigger a password or MFA reset, is a skill that gets practiced and refined inside these same community spaces before it’s ever used against a real target. Silent Push’s tracking, reported by Fortune, found the group pivoted back to social-engineering-led ransomware operations as its core method since March 2025, not because the technique is novel, but because it’s cheap to run and hard to fully train a help desk against.

That’s precisely why this connects to more than dark web monitoring. A credential reset triggered by a convincing phone call doesn’t show up as a data leak anywhere; it shows up as an access log that looks legitimate. استخبارات بيانات الاعتماد من سايبل آنجل and remediation workflow exist for the part of this chain that does leave a trace, the credentials and session tokens these groups buy or steal to make an impersonation attempt convincing in the first place, which is the same reasoning covered in this blog’s Telegram piece and the Dark Web Monitoring buyer’s checklist.

What CybelAngel actually monitors on Discord

Discord is one of the sources covered under CybelAngel’s Dark Web Monitoring module, alongside Telegram, IRC, WhatsApp, TOR, and I2P, scanning 10M+ new dark web posts and 600,000+ new discussions across instant-messaging platforms every month. As with Telegram, automated scanning has a real limit here: a meaningful share of Com-adjacent activity happens in closed, invite-only, or vetted servers that a scanner can’t join on its own. That’s the same gap CybelAngel’s REACT analysts are built to close, actively joining new Discord servers and closed communities as they emerge, rather than waiting for something public to crawl.

What to actually do with this

Treat vishing resistance as a training priority, not a footnote. If your help desk’s identity verification process can be defeated by someone who sounds confident and knows an employee’s name and department, that gap existed before Discord entered the picture and it’s the actual attack surface here, not the platform itself.

Extend brand and executive monitoring past your own name. Recruitment and coordination happen without ever mentioning your company. Coverage that only triggers on your organization’s name misses the entire phase that produces the person eventually calling your help desk. This is the same logic behind CybelAngel’s Brand Protection coverage for executives, watching for early circulation of information before it’s targeted at anyone specific.

Don’t treat “the attacker is young” as reassuring. The corporate breach list above, Caesars, MGM, Coinbase, Cloudflare, includes some of the most consequential breaches of the past three years. Age has had no bearing on capability or damage: U.S. prosecutors charged a 19-year-old, Thalha Jubair, in September 2025 with orchestrating more than 120 ransomware and extortion attacks that brought in over $115 million from 47 organizations, including federal court networks.

أسئلة شائعة

No. Discord is a mainstream, publicly available platform with no Tor requirement, used by hundreds of millions of people for entirely ordinary reasons. What’s distinctive is that a documented cybercrime network, the Com, uses Discord alongside gaming platforms and Telegram as a recruitment and coordination space, separate from the dark web’s forums and marketplaces.

The Com, short for the Community, is a loosely organized, mostly young, English-speaking cybercrime network that the FBI has tracked since at least 2024. It’s the documented origin point for threat actors including Scattered Spider and elements of LAPSUS$ and ShinyHunters, responsible for breaches at companies including MGM, Caesars, Coinbase, and Cloudflare.

Security researchers and law enforcement generally describe Scattered Spider as having emerged from the Com, though vendors disagree on exact naming and overlap, tracking the same or related activity as UNC3944, Octo Tempest, and Muddled Libra depending on the source. The disagreement itself reflects how hard this loosely organized network is to map with traditional named-threat-actor profiling.

Publicly reported cases describe a pattern starting in gaming communities, escalating pranks and account takeovers, followed by direct recruitment posts on Discord and Telegram offering paid work, sometimes framed explicitly as a job, for tasks like vishing calls against corporate help desks. This piece doesn’t detail the recruitment or grooming mechanics themselves, since that level of detail serves attackers more than defenders.

t helps with part of the problem, specifically catching credentials, access tokens, or company mentions that surface there before they’re used. It doesn’t substitute for hardening the actual technique this network relies on most, help-desk social engineering, which needs to be addressed through verification process changes and training, not just monitoring.

عن المؤلف