An online service is scraping Discord servers en masse, archiving and tracking users’ messages and activity across servers including what voice channels they join, and then selling access to that data for as little as $5. Called Spy Pet, the service’s creator says it scrapes more than ten thousand Discord servers, and besides selling access to anyone with cryptocurrency, is also offering the data for training AI models or to assist law enforcement agencies, according to its website.

The news is not only a brazen abuse of Discord’s platform, but also highlights that Discord messages may be more susceptible to monitoring than ordinary users assume. Typically, a Discord user’s activity is spread across disparate servers, with no one entity, except Discord itself, able to see what messages someone has sent across the platform more broadly. With Spy Pet, third-parties including stalkers or potentially police can look up specific users and see what messages they’ve posted on various servers at once.

“Have you ever wondered where your friend hangs out on Discord? Tired of basic search tools like Discord.id? Look no further!” Spy Pet’s website reads. It claims to be tracking more than 14,000 servers, 600 million users, and includes a database of more than 3 billion messages.

💡

*Do you know anything else about people scraping Discord? I would love to hear from you. Using a non-work device, you can message me securely on Signal at +44 * * *. Otherwise, send me an email at **@.co.**

404 Media was unable to verify whether those figures are accurate, but did confirm the service is scraping messages from Discord servers and is making them and other user data available to paying customers. The service requires a minimum payment of around $5 in cryptocurrency, such as Bitcoin, Ethereum, or Monero. For that, customers are given 500 Spy Pet credits. An individual user lookup appears to cost 10 credits (10 cents), in 404 Media’s own tests. The creator told 404 Media in an email that the service has around 100 paying accounts, stretching between those with $5 of credits, up to $500.

After searching for a user, a page displays the servers they are a part of that Spy Pet has visibility into; any connected accounts such as their GitHub; a table containing their most recent messages (including the server name, a timestamp, and the message content itself); and a log of when they joined or left specific voice channels in a server. Users can also export a target’s chats into a .CSV file, according to our tests.

A screenshot of the tool. Redactions by 404 Media.

404 Media verified the messages are accurate by searching for a user on Spy Pet, viewing their messages on the service, then entering the Discord server they came from and finding the respective message there. 404 Media did this for multiple Discord users across multiple servers.

The list of impacted servers is dizzying. One Discord user 404 Media examined with Spy Pet’s tool showed they were a member of Minecraft themed servers, an Among Us fan server, and the official Runescape server. Another was a member of multiple cryptocurrency related servers. On a section of the website listing different servers, a total of more than 86,000 servers are included. Spy Pet does not appear to be actively collecting from many of those though, with a message reading “We have no bots in this server, so we aren't tracking it, but we know it exists.” The creator told 404 Media that the chances Spy Pet starts tracking these servers is “pretty low, though.” The service did fail to return data on some specific users that 404 Media looked up, meaning they likely weren’t in a server that Spy Pet had scraped.

A screenshot of the tool. Redactions by 404 Media.

There is no indication that Spy Pet has obtained private messages sent between individual Discord users. It appears Spy Pet is scraping channels inside Discord servers and then making those messages available to customers.

“I like scraping, archiving, and challenging myself,” the creator told 404 Media. “Discord is basically the holy grail of scraping, since Discord is trying absolutely anything to combat scraping.”

Channel messages sit in an unusual space when it comes to privacy. They are not direct messages, but they are not public in the same way a Twitter feed might be. Discord users may not expect that a bot can enter a server they frequent, download messages available to it, and then radically change the distribution of those messages by selling them to people who may not even be inside the server itself.

A comparable example is when a researcher publicly released a dataset in 2016 related to nearly 70,000 users of the dating site OkCupid, including their sexual turn-ons, sexual orientation, and more. That data was semi-public, as it was available to other OkCupid users but required a viewer to log into the site itself. Releasing it outside of OkCupid made it available to anyone. OkCupid filed a DMCA request against an upload of the data.

The site also advertises sale of its scraped data for other purposes. “Interested in training an AI model with Discord messages? Are you a group of federal agents looking for a new source of intel? Or maybe something else? We've got you covered. Contact us and let us know how we can help,” the website reads. Law enforcement would typically need to provide Discord with a legal order to obtain a users’ messages.

A screenshot of the tool. Redactions by 404 Media.

The creator told 404 Media that the intended use case for Spy Pet is similar to how Dutch police previously used a tool for Telegram that allowed them to track a cybercriminal across multiple chats at once. They also said intended customers could be people “interested in what their friends are up to” and people who engage in open source intelligence, or OSINT.

A Discord spokesperson said the company is currently investigating Spy Pet. “Discord is committed to protecting the privacy and data of our users. We are currently investigating this matter. If we determine that violations of our Terms of Service and Community Guidelines have occurred, we will take appropriate steps to enforce our policies. We cannot provide further comments as this is an ongoing investigation,” they said. As of Tuesday, the Spy Pet creator said they had not received any communications or legal threats from Discord itself.

While Spy Pet fundamentally changes the privacy of Discord’s users, with the service shifting their activity from a decentralized model to one where it can be viewed all at once, Spy Pet suggests it takes the privacy of its own users more seriously. “We prioritize your privacy as a user searcher. Your searches are secure and confidential,” the website reads.

At the bottom of the site, a button indicates people can “request removal.” After clicking that, a clip from Spiderman 2 (2004), in which J. Jonah Jameson laughs at Peter Parker, automatically plays.

“You’re serious?” Jameson says.